I've captured some http packets and want to find out which ones contain some string. I use "Edit->Find Packet" with "Packet bytes" option selected, but it doesn't find anything because the data is compressed (Content-Encoding: gzip). When I search in "Packet details", it doesn't find everything because some lines are too long and get truncated.

Is there any way to search in uncompressed packet bytes?

asked 08 Oct '11, 11:56

humanista's gravatar image

humanista
6113
accept rate: 0%


My first suggestion would have been to use "http contains <xxx>", but "http" only points to the compressed data. Digging a little deeper gives me a second suggestion that does seem to work. The uncompressed data is put in a new TVB and in the packet-details pane the dissection is listed under "data-text-lines". So you can use the (search or display) filter:

http and data-text-lines contain "<XXX>"

Hope this works for you!

link

answered 09 Oct '11, 00:43

SYN-bit's gravatar image

SYN-bit ♦♦
15.0k848219
accept rate: 19%

'http and data-text-lines contains "string"' works perfectly. Thank you very much!

(09 Oct '11, 10:41) humanista

(converted your "answer" to a "comment" please see the FAQ for details)

(09 Oct '11, 13:32) SYN-bit ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×9
×8
×2

Asked: 08 Oct '11, 11:56

Seen: 1,249 times

Last updated: 09 Oct '11, 13:32

powered by OSQA