Extracting SOAP XML Payload

Question

I am referring to a thread already answered last summer - http://ask.wireshark.org/questions/4639/extracting-soap-xml-payload?sort=votes&page=1

I got this script working reading off of a pcap with:

tshark -r "/tmp/test.pcap" "tcp and data" -X lua_script:/tmp/luaListener.lua

Now, I am having a problem running the Lua script on a live capture (here's a sample pcap). In the Lua file, I have tap set to xml and field set to xml. Here is my command prompt:

tshark "tcp and data" -X lua_script:/tmp/luaListener.lua -i lo

When I run this, I get a stream of data on the screen, but the listener is not picking up anything, and the file is not created. Can anyone help?

Answer 1

The filter "tcp and data" does not apply to your pcap. That is, your SOAP XML packets are not contained in TCP packets as data fields as they were in the original post. I'm not sure if that's because of a change in the dissector or because the SOAP XML is generated differently for you than for the author of that post, but you can achieve the same results by changing the tap filter and Field from "data" to "xml":

-- tap uses dfilter for tcp data and ignores retransmissions
local tap       = Listener.new(nil, "tcp && dataxml && !tcp.analysis.retransmission")
local xml_field = Field.new("data""xml")

The result of this command:

$ tshark -r /tmp/test.pcap -Xlua_script:/tmp/luaListener.lua "xml"

creates the temp.xml file, containing:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://www.webserviceX.NET/">
   <soap:Header/>
   <soap:Body>
      <web:ConversionRate>
         <web:FromCurrency>USD</web:FromCurrency>
         <web:ToCurrency>CAD</web:ToCurrency>
      </web:ConversionRate>
   </soap:Body>
</soap:Envelope>

-- #6 ---------------------------------------------------

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ConversionRateResponse xmlns="http://www.webserviceX.NET/"><ConversionRateResult>0.991</ConversionRateResult></ConversionRateResponse></soap:Body></soap:Envelope>

-- #8 ---------------------------------------------------

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://www.webserviceX.NET/">
   <soapenv:Header/>
   <soapenv:Body>
      <web:ConversionRate>
         <web:FromCurrency>CAD</web:FromCurrency>
         <web:ToCurrency>EUR</web:ToCurrency>
      </web:ConversionRate>
   </soapenv:Body>
</soapenv:Envelope>

-- #10 ---------------------------------------------------

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ConversionRateResponse xmlns="http://www.webserviceX.NET/"><ConversionRateResult>0.7711</ConversionRateResult></ConversionRateResponse></soap:Body></soap:Envelope>

-- #12 ---------------------------------------------------

Extracting SOAP XML Payload

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions