How can I identify what format payload is in? Question on content encodings.

vxc69 · 09-01-2014, 06:56 AM

Hi guys,

I've got an HTTP payload. I'm trying to test what is laid out by Mark Adler (author of zlib and gzip compression) in his post here - where he states that "some" servers send deflate encoding when they should be sending zlib (as laid out in the specification).

How should I go about analysing the raw payload to see if the data sent is raw deflate or with the zlib wrapper? I have the byte sequence of the payload. I assume the headers should have this information. Any help with this is much appreciated.

NevemTeve · 09-01-2014, 07:11 AM

Perhaps 'file' utility program might help (or 'libmagic', if you want to use it from program).

vxc69 · 09-01-2014, 09:55 AM

Quote:

Originally Posted by NevemTeve

Perhaps 'file' utility program might help (or 'libmagic', if you want to use it from program).

I tried that - file command returned "data". More research into this suggests most formats have some sort magic number (or header) but I can't find this for raw deflate. Zlib supposedly has several magic numbers.

NevemTeve · 09-01-2014, 10:13 AM

(Oh, I remember now, I've heard something about gzip-ped HTTP-data not having actual gzip header...)