Wireshark-users: [Wireshark-users] Problem with XML Dissector
From: Alexandre Vieira <[email protected]>
Date: Wed, 13 Oct 2010 16:26:30 +0100
Hi list,

I'm having trouble dissecting an HTTP POST that comes with "Content-encoded entity body (gzip)" from the client side.

I'm using TShark 1.0.13
Compiled with GLib 2.4.1, with libpcap 1.1.1, with libz 1.2.3, without POSIX
capabilities, with libpcre 8.2, without SMI, with ADNS, without Lua, without
GnuTLS, without Gcrypt, without Kerberos.

Running on SunOS 5.10, with libpcap version 1.1.1.

Built using gcc 3.4.3 (csl-sol210-3_4-branch+sol_rpath).

All requests that are submited without gzip compression are dissected correctly.

I'm using tshark like:

$ /usr/local/bin/tshark -o tcp.check_checksum:false -r  /tmp/mycap_test.cap -V -d tcp.port==10010,http

The requests that are dissected correctly:

Hypertext Transfer Protocol
    POST /App HTTP/1.1\r\n
        Request Method: POST
        Request URI: /App
        Request Version: HTTP/1.1
    Content-Type: text/xml\r\n
    User-Agent: CLIENT1/3.0/1.0\r\n
    Authorization: Basic XXXXXXXXXXXXXXXXXXXX\r\n
        Credentials: xxxxxx:xxxxxx
    Content-Length: 561\r\n
        [Content length: 561]
    Cache-Control: no-cache\r\n
    Pragma: no-cache\r\n
    Host: 192.168.87.8:10010\r\n
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n
    Connection: keep-alive\r\n
    \r\n
eXtensible Markup Language
    <?xml
        version="1.0"
        encoding="UTF-8"
        ?>
(....................................................)

The requests that don't work:

Hypertext Transfer Protocol
    POST /App HTTP/1.1\r\n
        Request Method: POST
        Request URI: /App
        Request Version: HTTP/1.1
    Content-Type: text/xml\r\n
    User-Agent: CLIENT2/3.0/1.0\r\n
    Authorization: Basic XXXXXXXXXXXXXXXXXXXX\r\n
        Credentials: xxxxxx:xxxxxx
    Content-Encoding: gzip\r\n
    Accept-Encoding: gzip\r\n
    Content-Length: 566\r\n
        [Content length: 566]
    Cache-Control: no-cache\r\n
    Pragma: no-cache\r\n
    Host: 192.168.87.8:10010\r\n
    Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n
    Connection: keep-alive\r\n
    \r\n
    Content-encoded entity body (gzip): 566 bytes
        Data (566 bytes)

0000  3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31   <?xml version="1
0010  2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 69 73   .0" encoding="is
0020  6f 2d 38 38 35 39 2d 31 22 3f 3e 3c 6d 65 74 68   o-8859-1"?><meth

(.......................................)

Anyone can shed a light on this?

Thanks in advance!

BR
--
Alexandre Vieira - [email protected]