Write Gzip Encoded HTTP as Inflated in PCAP File

0

Is there any option or way to force tshark to write to the pcap output file the inflated http content body that was received encoded?

asked 19 Jul '11, 10:42

sethlwilson's gravatar image

sethlwilson
31226
accept rate: 12%

2 Answers:
oldestnewestmost voted
0

I found a way to extract what I needed which was SOAP XML traffic to/from a Web service. I wrote a simple Perl script that uses some very handy modules that I found.

#!/usr/bin/perl

use strict;
use Net::Pcap;
use Net::PcapUtils;
use NetPacket;
use NetPacket::IP;
use NetPacket::Ethernet qw(:strip);
use Sniffer::HTTP;

my $VERBOSE = 0;

my $sniffer = Sniffer::HTTP->new( 
  callbacks => {
    request  => sub { my ($req, $conn) = @_; print $req->as_string,"\n" if $req },
    response => sub { my ($res, $req, $conn) = @_; print $res->decoded_content,"\n" },
    log      => sub { print $_[0] if $VERBOSE },
    tcp_log  => sub { print $_[0] if $VERBOSE > 1 },
    }
);

sub process_pkt
{
  my ($usr, $hdr, $pkt) = @_;
  my $eth_obj = NetPacket::Ethernet->decode($pkt);
  $sniffer->handle_eth_packet($pkt);
}

my $err;
my $pcap = Net::Pcap::open_offline("$ARGV[0]", \$err)
  or die "Unable to open pcap file: $err\n";
Net::Pcap::loop($pcap, -1, \&process_pkt, '');
Net::Pcap::close($pcap);
link

answered 21 Jul '11, 11:00

sethlwilson's gravatar image

sethlwilson
31226
accept rate: 12%

0

I don't think it is possible at the moment. And when I think about it there are some serious reasons why it won't work that easily. If you save the (originally compressed) payload uncompressed you'll heavily increase the packet size since the playload expands quite a bit. As a direct result most of the TCP sequence/ack numbers will get corrupted since they were calculated based on the original segment size. To correct them the saving process would need to go through the packets and recalculate all relevant values. Also, you'll quite often expand frames beyond the MTU (which is something you could live with, but still it will probably not be a valid trace anymore after saving it).

link

answered 19 Jul '11, 16:52

Jasper's gravatar image

Jasper ♦
10.1k328145
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×246
×120
×67
×5
×1

Asked: 19 Jul '11, 10:42

Seen: 1,932 times

Last updated: 21 Jul '11, 11:00

Related questions

how to add data length column in wireshark display or plot payload length vs packet no

reconstructing HTTP object

Extracting SOAP XML Payload

Converting a wireshark pcap file to a windows txt file that contains field=value data.

Exporting pcap to csv using tshark

Display HTTP content as text using tshark

Can we get a decrypted .pcap from an encrypted .pcap file through some command if i have private key

Can tshark display textual HTTP content during capture?

Perl Net::Pcap Can not parse wireshark saved pcap file

Filter multiple IPs

about | faq | privacy | support | contact

powered by OSQA