This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cant read line based text data

0

I'm trying to read a post request which got captured using wireshark.

Now i was wondering, if there's a way to make the packet content readable, such as requests in fiddler to have readable data?

I would appreciate any kind of suggestions.

The Line-based Text data: application/json isnt readable also as you can see in this screenshot:

alt text

I would appreciate any kind of suggestions.

The captures packet(Wireshark->Follow TCP Stream) looks like the following: https://pastebin.com/h2kvaBYY

I would appreciate any kind of suggestions.

asked 21 May '17, 05:59

d4ne's gravatar image

d4ne
6113
accept rate: 0%

Could we either see more of the dissection, or the raw packet capture (not the results of Follow TCP Stream)? That way we can determine whether, for example, the data in question is encrypted, or compressed, or transformed in some other fashion that turns JSON text into binary data, as that's what appears to have happened.

(21 May '17, 17:45) Guy Harris ♦♦

Heres one: https://pastebin.com/rE61rReD and https://pastebin.com/0RvEP7p0 and a response to that request: https://pastebin.com/bBETmND4

(22 May '17, 03:58) d4ne

2 Answers:

0

Go to menu File | Export Objects | HTTP... That gives you the opportunity to save the object in a file, to be opened with the applicable program for that MIME type.

answered 21 May '17, 06:53

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Yes, i did that before also. Some of those show up perfectly, others sadly like this:

*”cRkü´)ý¢ˆ?VóSN‘Ç Lè5–Í Ç î?ö\D~hƒöuvÁÙéuy\ŒIJ–ÍOá“I[›”&Qu”LééiúDÈÛî¨aKˆ„-NF”t¹UgT<Ë·Þ|–÷fKªÿjõâj?bÅÁoäZÍ çwºÌBwUã}¼Ñz&??Œ3œé?øˆAKL’ãutb‚¶?R`?¨å>Œº!ݪù^éQ'Pka ˜Ìßú-æ,^–mo«´¨ª´'Lëù嚣èzê»7ÿ»±p˜ú.PW˜Ý7µrÍ(­Ï@ñe†ÞéAšb ¶dþ~.Or§çàñ|è™üv-+ê†rîôèj§Ä4¦Ý´>ÎSD¹M‚èÒO}=ú˜R´p½…Ü£DCŠ ±7çmš"ÙM¤[email protected]¼†èî~Ê[email protected]½‡<q͇ò±˜„I™ìJОO¸?k«Ï wbͨ¸ôgû?ÉΈœ J»ÕýIÆ»6«¶·¶‰4?ª/§£S7àáŒÔTv

What could cause this? Maybe beeing json files at all transfered as byte?

(21 May '17, 07:10) d4ne

0

Maybe it's not line-based text data; perhaps it's a binary encoding of JSON, such as the one given in the Universal Binary JSON Specification. One of your pastebin posts has "Content-Type: application/json", and nothing indicating that it's compressed. However, the UBJSON people recommend application/ubjson, so perhaps it's some other encoding, and perhaps both the client and server have an out-of-band arrangement to use some binary encoding. The first two pastebin posts have "Dalvik" in the User-Agent, so it's presumably coming from an Android phone or tablet - perhaps some app is communicating with a server from the app vendor, so it knows that the server can accept some binary form of JSON and will send a binary form of JSON back.

answered 22 May '17, 15:33

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hey, your right it's a app communicating with a server. The request is sent as Content-Type: application/octet-stream and the response is Content-Type: application/json

Also found the following code in the apk:

https://pastebin.com/Demn2n4S

This could be the encode/decode right?

(23 May '17, 02:30) d4ne