I'm using tcpdump to capture SOAP traffic on a specific port, and currently the output I have is:
11:10:27.159327 IP (tos 0x0, ttl 121, id 14977, offset 0, flags [DF], proto TCP (6), length 1406)
10.230.129.233.61344 > <hostname>: Flags [.], cksum 0x69f1 (correct), seq 231:1597, ack 1, win 64, length 1366
E..~:.@.y...
...
..:...,..P.....P..@i...
first part of soap message goes here...
11:10:27.313796 IP (tos 0x0, ttl 121, id 14982, offset 0, flags [DF], proto TCP (6), length 1406)
10.230.129.233.61344 > <hostname>: Flags [.], cksum 0x86e9 (correct), seq 2963:4329, ack 1, win 64, length 1366
E..~:.@.y...
...
..:...,..[.....P..@....
second part of soap message goes here...
As you see, the SOAP message gets divided into chunks while whritten to the tcpdump output file.
How can I make tcpdump to write SOAP message in a single chunk?
The command I am using is:
tcpdump -i any 'tcp port $port and $filters' -A -s0 > tcpdump.out
To my knowledge, tcpdump does not support TCP reassembly. For that, you'll need another program like Wireshark.