Write Gzip Encoded HTTP as Inflated in PCAP File

Question

Is there any option or way to force tshark to write to the pcap output file the inflated http content body that was received encoded?

Accepted Answer

I found a way to extract what I needed which was SOAP XML traffic to/from a Web service. I wrote a simple Perl script that uses some very handy modules that I found.

#!/usr/bin/perl
use strict;
use Net::Pcap;
use Net::PcapUtils;
use NetPacket;
use NetPacket::IP;
use NetPacket::Ethernet qw(:strip);
use Sniffer::HTTP;
my $VERBOSE = 0;
my $sniffer = Sniffer::HTTP->new(
callbacks => {
request  => sub { my ($req, $conn) = @; print $req->as_string,"\n" if $req },
response => sub { my ($res, $req, $conn) = @; print $res->decoded_content,"\n" },
log      => sub { print $[0] if $VERBOSE },
tcp_log  => sub { print $[0] if $VERBOSE > 1 },
}
);
sub process_pkt
{
my ($usr, $hdr, $pkt) = @_;
my $eth_obj = NetPacket::Ethernet->decode($pkt);
$sniffer->handle_eth_packet($pkt);
}
my $err;
my $pcap = Net::Pcap::open_offline("$ARGV[0]", $err)
or die "Unable to open pcap file: $err\n";
Net::Pcap::loop($pcap, -1, &amp;process_pkt, '');
Net::Pcap::close($pcap);

Answer 2

I don't think it is possible at the moment. And when I think about it there are some serious reasons why it won't work that easily. If you save the (originally compressed) payload uncompressed you'll heavily increase the packet size since the playload expands quite a bit. As a direct result most of the TCP sequence/ack numbers will get corrupted since they were calculated based on the original segment size. To correct them the saving process would need to go through the packets and recalculate all relevant values. Also, you'll quite often expand frames beyond the MTU (which is something you could live with, but still it will probably not be a valid trace anymore after saving it).