Search in 'Uncompressed entity body'

asked 2022-03-09 16:44:32 +0000

updated 2022-03-09 17:21:16 +0000

Hi, I have a packet exchange where the remote sends gzip-compressed data. I am trying to search the data for specific strings, and 'Find/String/Packet bytes' does not work. In display filter I am using a filter like http and data-text-lines contains "table_name", and it doesn't find anything.
I have attached an image with one of the packets shown containing "table_name" in the uncompressed entity body, and another image showing the filter and results (none). Is this the correct way to find data in the uncompressed part, or should I try something else? Apparently I don't have enough points to upload an image.
Thanks in advance for your time.
Greg

answered 2022-03-09 17:58:13 +0000

Chuckc
2858 ●5 ●567 ●19

http.file_data contains "table_name"

This question (Display “Uncompressed entity body” like old tshark did with the -x option) has a link to a test site: http://httpbin.org/gzip

Make a packet capture when browsing to it then search for:

frame contains "Trace"

no packets are found.
Seaching for :

http.file_data contains "Trace"

finds the packet with the unencoded data.

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Search in 'Uncompressed entity body'

1 Answer

Your Answer

Question Tools

Stats

Related questions

Search in 'Uncompressed entity body' edit

1 Answer

Your Answer

Question Tools

Stats

Related questions

Search in 'Uncompressed entity body'