OSQA is unmaintained. Help us figure out where to go from here.

I have a pcap of websocket traffic . how can i see clear payload meaning after deflat masking .... actually i have a couple of question but first a bit of info i can see that both client and server agree on the flag premessage-deflate in addition the client sent client_max_window_bits without number (i assume by default its 32k window right???) another info : some of the packets are masked

additional question : do you do the decompression after unmasking the payload or after ? what octets do you decompress (i assume everything after the websocket header)? before decompressing do i need to add decompressing headers like 0x78 0x01 ? do you know any python library that can do it for me ?


asked 18 May, 13:57

saeedh's gravatar image

accept rate: 0%

Support for this is currently missing in the Websocket dissector. Until it gets implemented, you could try to manually decompress it. Here is an example for Python 3, the websocket_payload_packet_X variables contain the unmasked binary websocket.payload data (replace it accordingly):

#!/usr/bin/env python3
import zlib

websocket_payload_packet_1 = bytes.fromhex("""
""".replace("\n", ""))

websocket_payload_packet_2 = bytes.fromhex("""
""".replace("\n", ""))

websocket_payload_packet_3 = bytes.fromhex("""
""".replace("\n", ""))

# Data from frame 1
data = websocket_payload_packet_1
# Needed per spec (https://tools.ietf.org/html/rfc7692#section-7.2.2)
data += b'\0\0\xff\xff'
data += websocket_payload_packet_2
data += b'\0\0\xff\xff'
data += websocket_payload_packet_3
data += b'\0\0\xff\xff'

z = zlib.decompressobj(wbits=-15)
out = z.decompress(data)

A variant of this (with actual valid data) was successfully tested (I just stripped it here because it could be sensitive data).

If you want to help, you could open an enhancement request and provide a small capture sample in the issue tracker at: https://bugs.wireshark.org/bugzilla/

permanent link

answered 23 May, 09:45

Lekensteyn's gravatar image

accept rate: 31%

edited 23 May, 09:46

thanks a lot this worked

(23 May, 11:21) saeedh
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 18 May, 13:57

question was seen: 193 times

last updated: 23 May, 11:21

p​o​w​e​r​e​d by O​S​Q​A