Ask Your Question

WS cannot identify HTTP packets

asked 2019-03-03 14:15:29 +0000

Gene gravatar image

updated 2019-03-03 14:30:58 +0000

What's wrong with attached packets? They look like part of HTTP POST request but WS doesn't show this

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-03-04 17:31:24 +0000

Kurt Knochner gravatar image

That's HTTP on port 8080 and it decodes in my Wireshark installation. So, either your HTTP protocol settings don't have port 8080 or you're decoding port 8080 to something else.

So, either add 8080 to

Edit -> Preferences -> Protocols -> HTTP -> TCP port(s)

or add/delete a Decode as option for port 8080.

Right click a packet and choose **Decode as**


edit flag offensive delete link more


unpacked http1.pcap.gz and opened http1.pcap in WS followed TCP stream ( eq. 0) with right mouse click, menu selection and what I get is (no threats found with 360 total security) the following code: " POST /opt/in/RepProducedProduct_v3 HTTP/1.0 content-type: multipart/form-data; boundary=8480CD4A34728DC5929AA124D9FFA1FB0 content-length: 17273716 user-agent: SAP NetWeaver Application Server (1.0;752) host: accept: /

--8480CD4A34728DC5929AA124D9FFA1FB0 Content-Type: application/xml Content-Disposition: form-data; name="xml_file"; filename="test.xml"

<ns:documents xmlns:ns="" xmlns:rpp="" xmlns:oref2="" xmlns:ce3="" xmlns:pref2=""> <ns:owner> <ns:fsrar_id>010060693343</ns:fsrar_id> </ns:owner> <ns:document> <ns:repproducedproduct_v3> <rpp:identity>0000000067</rpp:identity> <rpp:header> <rpp:type>OperProduction</rpp:type> <rpp:number>0000000067</rpp:number> <rpp:date>2019-02-16</rpp:date> <rpp:produceddate>2019-02-15</rpp ...(more)

darius gravatar imagedarius ( 2019-03-04 20:39:53 +0000 )edit

follow up:

not sure why these entries are not shown: ... ... <ce3:amc>108400090979201018001OTBTSFSBPUXZHEEOR7S7D7Y77YDD6HZ7LEKK55FWQNIBBY57TZR5YUPJZCPXN7RIN2N6HDJLVP3OF56G3TEIOZKLGHKNQQA77NUD4NKOGGHRXP6DAOMBD6ZCZA3EM4PKQ</ce3:amc>

darius gravatar imagedarius ( 2019-03-04 20:42:12 +0000 )edit

They look like part of HTTP POST request

and that's what you get, based on your first comment. Maybe I don't understand your problem. Can you please rephrase?

A screenshot could help as well.

Kurt Knochner gravatar imageKurt Knochner ( 2019-03-05 06:15:53 +0000 )edit

Port 8080 is already configured (by default) and WS successfully parses neighboring requests to the same port. There must be a specific problem with these frames. I know for sure it's a POST request with multipart form attached.

Gene gravatar imageGene ( 2019-03-05 07:36:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2019-03-03 14:15:29 +0000

Seen: 123 times

Last updated: Mar 04 '19