Capturing and decoding POST data using tcpdump / wireshark

So I need to debug an application which posts xml to a 3rd party application, this was failing but being very unspecific as to why.

What I wanted to do was manually send the data, but I needed to capture it first, so after a bit of digging I came up blank with an easy way to get the infomation out of tcpdump, but…. I found a brilliant little perl script which does all the hard work – you just check it a tcpdump output file, and it does all the manipulation and outputs everything you need..

The script is called chaosreader0.94 see http://www.darknet.org.uk/2007/11/chaosreader-trace-tcpudp-sessions-from-tcpdump/

It worked like a treat, I did the following:

tcpdump host www.blah.com -s 9000 -w outputfile; perl chaosreader0.94 outputfile

it generated me a load of files, headed up by index.html, when you put these files into a web server, and open index.html you get a few options. See below.

Chaosreader Report
File: out1, Type: tcpdump, Created at: Thu May 21 11:56:59 2009

Image Report (Empty) – Click here for a report on captured images.
GET/POST Report – Click here for a report on HTTP GETs and POSTs.
HTTP Proxy Log – Click here for a generated proxy style HTTP log.

TCP/UDP/… Sessions

1. Thu May 21 11:56:48 2009 5 s 192.168.x.x:50624 -> 192.168.x.x:80 http 80515 bytes
  • as html
  • session 0001.part 01.html 5836 bytes
  • 2. Thu May 21 11:56:54 2009 0 s 192.168.x.x:50633 -> 192.168.x.x:80 http 84451 bytes
  • as html
  • session 0002.part 01.html5836 bytes
  • IP Count

    192.168.x.x 136
    192.168.x.x 86

    TCP Port Count

    http 221

    UDP Port Count

    IP Protocol Count

    TCP 222

    Ethernet Type Count

    0800 222

     Clicking the session links gave me all the information I needed.

    You can follow any responses to this entry through the RSS 2.0 feed.

    XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    This blog is kept spam free by WP-SpamFree.