Decompress gzip’d HTTP data from WireShark in Windows (No Linux required)

Here’s the alert with gzip’d data (look at the Content-Encoding header):

1.       Pull the packets into WireShark  from the IDS:

2.       Extract the zip file and open it in WireShark.

3.       Right click the first packet and choose the Follow Stream option:

4.       Choose the server side of the conversation from the drop down:

5.       Click Save As, give it a filename (like data.txt.gz). 

6.       Go to the directory where you saved the file, and open it with Notepad++ or a similar program.

7.       Delete the server header and the blank lines under it, leaving only the compressed content.

8.       After saving the file and closing it, right click the file and from the 7-Zip context menu, choose Extract Here. (If you get a “file is broken” error, continue anyway.)

9.       Open up the now decompressed file and begin analyzing.