Goal: Extract the value of an XML element in SOAP requests. Ideally, I would use this in a custom display column (which I can also export to CSV). Nature of Traffic: The captures contain numerous SOAP requests POSTed over HTTPS. The requests are large, spanning multiple packets. Given the private key, Wireshark is already able to decrypt the sessions, assemble the POST request, and dissect the XML. However, there is a many-to-one relationship between dissected fields (xml.tag and xml.cdata) and packets, and I do not know how to navigate this. Option #1: I initially investigated writing a Lua Dissector/Tap/Listener (something I have had success with in the past). However, the documentation for Field is missing from the LuaAPI documentation, and I am unable to guess at how to access more than the first element of the XML. I am also unable to guess at how I might register a dissector to be called by the XML dissector. (At this point, I am UTSL, but there are so many abstraction layers in the code, it is going to take me a while.) Option #2: I found the Wireshark document on XML, describing the creation of DTDs for Wireshark. It's all very interesting, but it doesn't mention how it is activated. I have tried creating a DTD, and the elements I have added appear as valid identifiers for filter expressions, but no values ever seem to get populated. How does Wireshark know to use my DTD when encountering the XML in the SOAP requests? asked 21 Sep '15, 08:54 Michael Pearce |