Wireshark-users: Re: [Wireshark-users] Decode TCP trame cup into different parts

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 7 Jan 2010 04:23:49 -0800
On Jan 7, 2010, at 4:17 AM, Lior Zarfati wrote:

> WireShark is behaving perfectly and showing you the exact traffic that is being transferred over the HTTP protocol.
> The part which you are misunderstanding is the one that states “Content-Encoding: gzip”. That means the rest of the content is compressed using gzip compression. What you see as the HTTP packet data is the gzip raw feed.
> Your SOAP client is compressing outgoing data using gzip. If you want to see the content itself, get it to not compress the data.

...or make sure all the HTTP preference settings I mentioned in my earlier message are on; Wireshark should, in that case, reassemble the entire HTTP message and unzip the body of the request.

(It won't do that in the "Follow TCP Stream" output - that only displays the raw TCP data stream, without any interpretation.)