Truncated SAMLResponse with TCPdump

Question

I have been trying to use tcpdump to capture the SAML request to the server. I am interested in the SAMLResponse so i can decoded and get the XML but tcpdump seems to truncate the output so I miss a lot of data:

tcpdump -A -nnSs 0 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

This should capture all HTTP request/response/body which it does but the SAMLResponse is truncated:

SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfMDAyMDg3MmQtZTlmMi00ZGU5LTkxMGYtM2NiNDc1MjVkNTk2IiBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAxOS0xMS0xM1QyMTo0ODo0Mi42ODlaIiBEZXN0aW5hdG

if I decode that I get:

samlp:Response ID="_0020872d-e9f2-4de9-910f-3cb47525d596" Version="2.0" IssueInstant="2019-11-13T21:48:42.689Z" Destinat

An incomplete output. if I add -w /tmp/out.pcap i am able to see the entire SAMLResponse in wireshark, what am i missing here?

I am on a linux i would like to work with this from the command line. What i dont understand is that sometimes i get more characters than others. I am not sure if this is in another call separate from this one if it is how to join them in tcpdump?

thanks

Answer 1

a alternative is to use tcpflow

tcpflow  -c 'port 8080' 

Extract of man tcpflow

DESCRIPTION tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. Rather than showing packet-by-packet information, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

or you can use tshark