According to the preferences, the three sections of Wireshark are:
- Packet List – Rows of src/dest/protocol/info
- Packet Details – Collapsible tree
- Packet Bytes – Tabbed hex dumps
Most of the time, if you’re sniffing text-based traffic, you’ll find interesting packets, right-click in the list, and “Follow TCP Stream”. The problem is Wireshark’s too honest sometimes, and if the traffic is compressed, you’ll see the binary garbage that’s really flowing through the NIC.
HTTP/1.1 200 OK
Content-Encoding: gzip
If you see this HTTP header, there’s another approach.
Instead of following the stream, check out the “Packet Bytes” section at the bottom. There should be a tab there named “Uncompressed entity body”, which is the result of a dissector combining several packets and un-gzipping the message.
The ascii is squashed to the side by the hex dump, so you’d be tempted to right-click-copy or ctrl-c… won’t work.
The way to get the plaintext into the clipboard hides in the middle section, “Packet Details”. Collapse all the branches. The bottom branch should be “Line-based text data: text/html”. Right-click that, “Copy”, “Bytes (Printable Text Only).” *
If you want to try this out, start sniffing, and visit Google. It’s consistently gzipped.
This method works for regular traffic too, but following the stream is more convenient.