This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Write Gzip Encoded HTTP as Inflated in PCAP File

0

Is there any option or way to force tshark to write to the pcap output file the inflated http content body that was received encoded?

asked 19 Jul '11, 10:42

sethlwilson's gravatar image

sethlwilson
31226
accept rate: 12%


2 Answers:

0

I found a way to extract what I needed which was SOAP XML traffic to/from a Web service. I wrote a simple Perl script that uses some very handy modules that I found.

#!/usr/bin/perl

use strict; use Net::Pcap; use Net::PcapUtils; use NetPacket; use NetPacket::IP; use NetPacket::Ethernet qw(:strip); use Sniffer::HTTP;

my $VERBOSE = 0;

my $sniffer = Sniffer::HTTP->new( callbacks => { request => sub { my ($req, $conn) = @; print $req->as_string,"\n" if $req }, response => sub { my ($res, $req, $conn) = @; print $res->decoded_content,"\n" }, log => sub { print $[0] if $VERBOSE }, tcp_log => sub { print $[0] if $VERBOSE > 1 }, } );

sub process_pkt { my ($usr, $hdr, $pkt) = @_; my $eth_obj = NetPacket::Ethernet->decode($pkt); $sniffer->handle_eth_packet($pkt); }

my $err; my $pcap = Net::Pcap::open_offline("$ARGV[0]", $err) or die "Unable to open pcap file: $err\n"; Net::Pcap::loop($pcap, -1, &process_pkt, ''); Net::Pcap::close($pcap);

answered 21 Jul ‘11, 11:00

sethlwilson's gravatar image

sethlwilson
31226
accept rate: 12%

0

I don't think it is possible at the moment. And when I think about it there are some serious reasons why it won't work that easily. If you save the (originally compressed) payload uncompressed you'll heavily increase the packet size since the playload expands quite a bit. As a direct result most of the TCP sequence/ack numbers will get corrupted since they were calculated based on the original segment size. To correct them the saving process would need to go through the packets and recalculate all relevant values. Also, you'll quite often expand frames beyond the MTU (which is something you could live with, but still it will probably not be a valid trace anymore after saving it).

answered 19 Jul '11, 16:52

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%