This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extracting SOAP XML Payload

0

I am referring to a thread already answered last summer - http://ask.wireshark.org/questions/4639/extracting-soap-xml-payload?sort=votes&page=1

I got this script working reading off of a pcap with:

tshark -r "/tmp/test.pcap" "tcp and data" -X lua_script:/tmp/luaListener.lua

Now, I am having a problem running the Lua script on a live capture (here's a sample pcap). In the Lua file, I have tap set to xml and field set to xml. Here is my command prompt:

tshark "tcp and data" -X lua_script:/tmp/luaListener.lua -i lo

When I run this, I get a stream of data on the screen, but the listener is not picking up anything, and the file is not created. Can anyone help?

asked 13 Mar '12, 12:49

pilotgurl86's gravatar image

pilotgurl86
1113
accept rate: 0%

edited 14 Mar '12, 15:03

helloworld's gravatar image

helloworld
3.1k42041

Sorry I had a typo - the last command line is supposed to be;

tshark -R "tcp and data" -X lua_script:/tmp/luaListenr.lua -i lo

(13 Mar '12, 12:51) pilotgurl86

One Answer:

2

The filter "tcp and data" does not apply to your pcap. That is, your SOAP XML packets are not contained in TCP packets as data fields as they were in the original post. I'm not sure if that's because of a change in the dissector or because the SOAP XML is generated differently for you than for the author of that post, but you can achieve the same results by changing the tap filter and Field from "data" to "xml":

-- tap uses dfilter for tcp data and ignores retransmissions
local tap       = Listener.new(nil, "tcp && dataxml && !tcp.analysis.retransmission")
local xml_field = Field.new("data""xml")


The result of this command:

$ tshark -r /tmp/test.pcap -Xlua_script:/tmp/luaListener.lua "xml"

creates the temp.xml file, containing:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:web="http://www.webserviceX.NET/">
   <soap:Header/>
   <soap:Body>
      <web:ConversionRate>
         <web:FromCurrency>USD</web:FromCurrency>
         <web:ToCurrency>CAD</web:ToCurrency>
      </web:ConversionRate>
   </soap:Body>
</soap:Envelope>

– #6 —————————————————

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ConversionRateResponse xmlns="http://www.webserviceX.NET/"><ConversionRateResult>0.991</ConversionRateResult></ConversionRateResponse></soap:Body></soap:Envelope>

– #8 —————————————————

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://www.webserviceX.NET/"> <soapenv:Header/> <soapenv:Body> <web:ConversionRate> <web:FromCurrency>CAD</web:FromCurrency> <web:ToCurrency>EUR</web:ToCurrency> </web:ConversionRate> </soapenv:Body> </soapenv:Envelope>

– #10 —————————————————

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ConversionRateResponse xmlns="http://www.webserviceX.NET/"><ConversionRateResult>0.7711</ConversionRateResult></ConversionRateResponse></soap:Body></soap:Envelope>

– #12 —————————————————

answered 14 Mar ‘12, 19:55

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

edited 14 Mar ‘12, 19:56

Thanks, that works great! How would you get this to run off of the network and not a pcap file? Just remove the pcap file? It doesn’t seem to work, it will show traffic, but not record anything in the XML file.

(15 Mar ‘12, 04:29) pilotgurl86