First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

WS cannot identify HTTP packets

  • retag add tags

What's wrong with attached packets? They look like part of HTTP POST request but WS doesn't show this https://drive.google.com/open?id=1TSu...

Gene's avatar
1
Gene
asked 2019-03-03 14:15:29 +0000, updated 2019-03-03 14:30:58 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

That's HTTP on port 8080 and it decodes in my Wireshark installation. So, either your HTTP protocol settings don't have port 8080 or you're decoding port 8080 to something else.

So, either add 8080 to 

Edit -> Preferences -> Protocols -> HTTP -> TCP port(s)

or add/delete a Decode as option for port 8080.

Right click a packet and choose **Decode as**

Regards
Kurt

Kurt Knochner's avatar
24.7k
Kurt Knochner
answered 2019-03-04 17:31:24 +0000
edit flag offensive 0 remove flag delete link
more

Comments

unpacked http1.pcap.gz and opened http1.pcap in WS followed TCP stream (tcp.stream eq. 0) with right mouse click, menu selection and what I get is (no threats found with 360 total security) the following code: " POST /opt/in/RepProducedProduct_v3 HTTP/1.0 content-type: multipart/form-data; boundary=8480CD4A34728DC5929AA124D9FFA1FB0 content-length: 17273716 user-agent: SAP NetWeaver Application Server (1.0;752) host: 10.0.2.152:8080 accept: /

--8480CD4A34728DC5929AA124D9FFA1FB0 Content-Type: application/xml Content-Disposition: form-data; name="xml_file"; filename="test.xml"

<ns:documents xmlns:ns="http://fsrar.ru/WEGAIS/WB_DOC_SINGLE_01" xmlns:rpp="http://fsrar.ru/WEGAIS/RepProducedProduct_v3" xmlns:oref2="http://fsrar.ru/WEGAIS/ClientRef_v2" xmlns:ce3="http://fsrar.ru/WEGAIS/CommonV3" xmlns:pref2="http://fsrar.ru/WEGAIS/ProductRef_v2"> <ns:owner> <ns:fsrar_id>010060693343</ns:fsrar_id> </ns:owner> <ns:document> <ns:repproducedproduct_v3> <rpp:identity>0000000067</rpp:identity> <rpp:header> <rpp:type>OperProduction</rpp:type> <rpp:number>0000000067</rpp:number> <rpp:date>2019-02-16</rpp:date> <rpp:produceddate>2019-02-15</rpp ... (more)

darius's avatar darius (2019-03-04 20:39:53 +0000) edit
more
  • delete

follow up:

not sure why these entries are not shown: ... ... <ce3:amc>108400090979201018001OTBTSFSBPUXZHEEOR7S7D7Y77YDD6HZ7LEKK55FWQNIBBY57TZR5YUPJZCPXN7RIN2N6HDJLVP3OF56G3TEIOZKLGHKNQQA77NUD4NKOGGHRXP6DAOMBD6ZCZA3EM4PKQ</ce3:amc>

darius's avatar darius (2019-03-04 20:42:12 +0000) edit
more
  • delete

They look like part of HTTP POST request

and that's what you get, based on your first comment. Maybe I don't understand your problem. Can you please rephrase?

A screenshot could help as well.

Kurt Knochner's avatar Kurt Knochner (2019-03-05 06:15:53 +0000) edit
more
  • delete

Port 8080 is already configured (by default) and WS successfully parses neighboring requests to the same port. There must be a specific problem with these frames. I know for sure it's a POST request with multipart form attached.

Gene's avatar Gene (2019-03-05 07:36:32 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer