Neo Neo - 3 years ago 219
HTTP Question

Why is the HTTP response payload showing in Wireshark tcp stream as gibberish?

I sniffed an

) conversation with a website using Wireshark.

Then I used
Follow TCP stream
to watch the conversation, and the whole payload comes as complete gibberish (lots of dots and occasional letters).

I saw this (
Content-Type: text/html;charset=UTF-8
) header in the response and thought I may change the encoding to UTF-8 (in the TCP stream window).

It just changes to different gibberish (lots of question marks in squares and occasional letters).

However, when I open the same conversation using
Follow HTTP stream
it comes out as fine HTML.

What is going on?

My guess is that Wireshark parses the HTTP headers and so knows to display the payload well.
But still, why doesn't simply changing to UTF-8 display well? Why doesn't ASCII display well, as UTF-8 should be backward-compatible to it?

Answer Source

There are several possibilities. One of the primary is that you are looking at gzipped content, which is very typical from web servers these day, allowing them to send the page back in a compressed state. If this is the case, look for the Content-Encoding: header and examine its value.

The other possibility is that the application is streaming binary data through the HTTP connection, even though the application is setting Content-Type: to text/html. There's nothing that makes this illegal, though it is a bad practice since this header acts as a hint for the browser to determine how to handle the data.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download