Ask Your Question
0

WS cannot identify HTTP packets

asked 2019-03-03 14:15:29 +0000

Gene gravatar image

updated 2019-03-03 14:30:58 +0000

What's wrong with attached packets? They look like part of HTTP POST request but WS doesn't show this https://drive.google.com/open?id=1TSu...

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-03-04 17:31:24 +0000

Kurt Knochner gravatar image

That's HTTP on port 8080 and it decodes in my Wireshark installation. So, either your HTTP protocol settings don't have port 8080 or you're decoding port 8080 to something else.

So, either add 8080 to 

Edit -> Preferences -> Protocols -> HTTP -> TCP port(s)

or add/delete a Decode as option for port 8080.

Right click a packet and choose **Decode as**

Regards
Kurt

edit flag offensive delete link more

Comments

unpacked http1.pcap.gz and opened http1.pcap in WS followed TCP stream (tcp.stream eq. 0) with right mouse click, menu selection and what I get is (no threats found with 360 total security) the following code: " POST /opt/in/RepProducedProduct_v3 HTTP/1.0 content-type: multipart/form-data; boundary=8480CD4A34728DC5929AA124D9FFA1FB0 content-length: 17273716 user-agent: SAP NetWeaver Application Server (1.0;752) host: 10.0.2.152:8080 accept: /

--8480CD4A34728DC5929AA124D9FFA1FB0 Content-Type: application/xml Content-Disposition: form-data; name="xml_file"; filename="test.xml"

<ns:documents xmlns:ns="http://fsrar.ru/WEGAIS/WB_DOC_SINGLE_01" xmlns:rpp="http://fsrar.ru/WEGAIS/RepProducedProduct_v3" xmlns:oref2="http://fsrar.ru/WEGAIS/ClientRef_v2" xmlns:ce3="http://fsrar.ru/WEGAIS/CommonV3" xmlns:pref2="http://fsrar.ru/WEGAIS/ProductRef_v2"> <ns:owner> <ns:fsrar_id>010060693343</ns:fsrar_id> </ns:owner> <ns:document> <ns:repproducedproduct_v3> <rpp:identity>0000000067</rpp:identity> <rpp:header> <rpp:type>OperProduction</rpp:type> <rpp:number>0000000067</rpp:number> <rpp:date>2019-02-16</rpp:date> <rpp:produceddate>2019-02-15</rpp ...(more)

darius gravatar imagedarius ( 2019-03-04 20:39:53 +0000 )edit

follow up:

not sure why these entries are not shown: ... ... <ce3:amc>108400090979201018001OTBTSFSBPUXZHEEOR7S7D7Y77YDD6HZ7LEKK55FWQNIBBY57TZR5YUPJZCPXN7RIN2N6HDJLVP3OF56G3TEIOZKLGHKNQQA77NUD4NKOGGHRXP6DAOMBD6ZCZA3EM4PKQ</ce3:amc>

darius gravatar imagedarius ( 2019-03-04 20:42:12 +0000 )edit

They look like part of HTTP POST request

and that's what you get, based on your first comment. Maybe I don't understand your problem. Can you please rephrase?

A screenshot could help as well.

Kurt Knochner gravatar imageKurt Knochner ( 2019-03-05 06:15:53 +0000 )edit

Port 8080 is already configured (by default) and WS successfully parses neighboring requests to the same port. There must be a specific problem with these frames. I know for sure it's a POST request with multipart form attached.

Gene gravatar imageGene ( 2019-03-05 07:36:32 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2019-03-03 14:15:29 +0000

Seen: 961 times

Last updated: Mar 04 '19