Ask Your Question

web socket decompressing issue

asked 2023-05-23 14:32:02 +0000

hhtboy gravatar image

updated 2023-05-23 14:34:55 +0000

Hello, I'm building my own packet capture program using libpcap with c++. I wanted to capture a web socket protocol. I faced a problem while captureing it. I am using stomp library, and using permessage-deflate.

I looked at structure of web socket protocol. I successfully unmasked payload data using mask key. It looked just the same as wireshark's unmasked data. But the problem is here.

I heard that web socket protocol uses deflate compression to compress data. So I tried to decompress data which I already have unmasked. I used zlib that chatGPT gave me. But It kept saying error -3: data error. It says that data I tried to decompress is not a compressed data.

I also tried to compress data using zlib, but the result was different from wireshark's compressed data.

I want to know how wireshark successfully decompress data using deflate algorithm. I also want to know how to code it.

plz help me this is killing me for days..

below is hex stream data Decompressed payload(115bytes) : 53454e440a64657374696e6174696f6e3a2f7075622f636861740a636f6e74656e742d6c656e6774683a36380a0a7b2273656e646572223a22686874626f79222c20226368616e6e656c4964223a3630302c202263686174223a2268656c6c6f222c202274696d65223a2231303a3030227d00

Unmasked data(88bytes) : 0a76f5734155500055c0959c9f57929a57a29b939a975e92616566c1c555ad549c9a97925aa464a594915192945fa9a4a3a004549c97979ae399a204720544a004a4223527271fa4a024333715c83734b0323050aa650000

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2023-05-23 15:59:23 +0000

grahamb gravatar image

The dissector for websocket is here, maybe the function websocket_uncompress() helps.

Note that zlib is a "stream" compressor, you can't decompress a fragment in isolation, you need to have all fragments from the beginning of the stream. Some info on zlib operation can be found here.

edit flag offensive delete link more


Thank you for your answer. I checked zlib's code and aplied to my captured data. Here is the result.

  1. below is original uncompressed data

0000000 4553 444e 640a 7365 6974 616e 6974 6e6f
0000010 2f3a 7570 2f62 6863 7461 630a 6e6f 6574
0000020 746e 6c2d 6e65 7467 3a68 3237 0a0a 227b
0000030 6573 646e 7265 3a22 2220 6868 6274 796f
0000040 2c22 2220 6863 6e61 656e 496c 2264 203a
0000050 3036 2c30 2220 6863 7461 3a22 2220 6568
0000060 6c6c 226f 202c 7422 6d69 2265 203a 3122
0000070 3a30 3030 7d22 0000

  1. this is compressed data using example code using zlib

0000000 9c78 ca25 0ab1 3083 0610 cee0 0a79 d9b9
0000010 e9e2 2160 3b73 7174 09f1 1cd4 9026 8a5e
0000020 1dfe 7c44 b577 1fae fb5f 9e6a c9c6 a08c
0000030 421d 5b52 7f7c 317d 0ef8 4866 510a a3dc
0000040 08e8 1f6f 3195 cd2b 4ea2 b226 7919 3e8f
0000050 942d ...(more)

hhtboy gravatar imagehhtboy ( 2023-05-23 17:36:16 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2023-05-23 14:32:02 +0000

Seen: 401 times

Last updated: May 23 '23