This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extracting SOAP XML data in live capture

0

Greetings all,

I am new to Lua and Wireshark together so apologies for my first post.

The situation I have is that we have a server which is pumping out notifications using SOAP/XML protocol. The notification messages are very small in size and coming out at a rate of 10-20 per minute.

Initially I wrote a Lua script (after researching for several hours) to extract the data I needed (link below).

XML Payload and Lua script

After executing the script I get output as follows

State Change detected
Object Instance              = 43606
Attribute Value Change Type  = OperationalState
Attribute Value Change Value = DISABLED
tap.packet      #279
Attribute Value Change detected
Object Instance              = 43606
Attribute Value Change Type  = 1475
Attribute Value Change Value = ENABLED
tap.packet      #281
State Change detected
Object Instance              = 43606
Attribute Value Change Type  = OperationalState
Attribute Value Change Value = ENABLED
tap.packet      #283
tap.packet      #286
tap.packet      #288
Attribute Value Change detected
Object Instance              = 230690
Attribute Value Change Type  = 4060
Attribute Value Change Value = REGISTERED

What I want to next is make the same output appear in a text window within Wireshark GUI. The linked Lua script does not work in a Wireshark Menu wrapper as Field is not available.

I would love to hear some pointers or tips on how to proceed. I'm not familiar with writing dissectors if that is the path I need to take..

asked 12 May '15, 12:26

carlwain74's gravatar image

carlwain74
1334
accept rate: 0%

edited 13 May '15, 02:12

grahamb's gravatar image

grahamb ♦
19.8k330206

2 Answers:

0

Hi Carl,

You'd need to start your script in the same way you are starting tshark that is with -X option.

If I recall correctly Field is not available if you simply paste the code into eval window of wireshark after it was started.

Rather than printing you may want to add text to info column ( something along the lines )

pinfo.cols.info = objInst .. " " .. attrType

Or you may want to use info('') instead of print this will show up in the console ( you may have to reload your pcap after console is opened.

Regards

Marcin

p.s. Nice to see you are still tinkering with lua ;-) good old IPA days

answered 14 May '15, 03:13

izopizo's gravatar image

izopizo
2024714
accept rate: 0%

edited 14 May '15, 03:17

For some reason not all the XML is being made available. When I finally get to examine the XML content for a different message I am only getting the second half of the XML payload.

(20 May '15, 14:40) carlwain74

0

Marcin,

Good to hear your still out there working with Wireshark..

It actually worked out that I did not need the Field code to get it to work. The following line was enough to get what I needed. I just needed to offset the XML payload and 50 seemed to work fine and now I can decode all XML payloads.

 local xmldata   = tvb(50):string()

Now I'm stuck on another issue opening a simple filename.

Carl

answered 14 May '15, 11:49

carlwain74's gravatar image

carlwain74
1334
accept rate: 0%