This is our old Q&A Site. Please post any new questions and answers at

Goal: Extract the value of an XML element in SOAP requests. Ideally, I would use this in a custom display column (which I can also export to CSV).

Nature of Traffic: The captures contain numerous SOAP requests POSTed over HTTPS. The requests are large, spanning multiple packets. Given the private key, Wireshark is already able to decrypt the sessions, assemble the POST request, and dissect the XML. However, there is a many-to-one relationship between dissected fields (xml.tag and xml.cdata) and packets, and I do not know how to navigate this.

Option #1: I initially investigated writing a Lua Dissector/Tap/Listener (something I have had success with in the past). However, the documentation for Field is missing from the LuaAPI documentation, and I am unable to guess at how to access more than the first element of the XML. I am also unable to guess at how I might register a dissector to be called by the XML dissector. (At this point, I am UTSL, but there are so many abstraction layers in the code, it is going to take me a while.)

Option #2: I found the Wireshark document on XML, describing the creation of DTDs for Wireshark. It's all very interesting, but it doesn't mention how it is activated. I have tried creating a DTD, and the elements I have added appear as valid identifiers for filter expressions, but no values ever seem to get populated. How does Wireshark know to use my DTD when encountering the XML in the SOAP requests?

asked 21 Sep '15, 08:54

Michael%20Pearce's gravatar image

Michael Pearce
accept rate: 0%

Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 21 Sep '15, 08:54

question was seen: 2,616 times

last updated: 21 Sep '15, 08:54

p​o​w​e​r​e​d by O​S​Q​A