Is there any option or way to force tshark to write to the pcap output file the inflated http content body that was received encoded?
asked 19 Jul '11, 10:42
I found a way to extract what I needed which was SOAP XML traffic to/from a Web service. I wrote a simple Perl script that uses some very handy modules that I found.
answered 21 Jul ‘11, 11:00
I don't think it is possible at the moment. And when I think about it there are some serious reasons why it won't work that easily. If you save the (originally compressed) payload uncompressed you'll heavily increase the packet size since the playload expands quite a bit. As a direct result most of the TCP sequence/ack numbers will get corrupted since they were calculated based on the original segment size. To correct them the saving process would need to go through the packets and recalculate all relevant values. Also, you'll quite often expand frames beyond the MTU (which is something you could live with, but still it will probably not be a valid trace anymore after saving it).
answered 19 Jul '11, 16:52