We are currently trying to capture SOAP request and response body content using Packetbeat 7.1.1 (As shown in in screenshot - PacketbeatOutputConfig). Packetbeat is configured to output to file (as shown in screenshot upload - PacketbeatProtocolConfig)
The response body is gzipped and are looking to save the compressed response to file and decode it are ourselves as we except a high number of responses. We have compared the output from packetbeat (Screenshot1) with output form TCPDump (Screenshot2) and have circled the hex where the compression starts and they don't match. This looks like its the reason we can't decode the response.
Is there any why of getting the actual compressed response (as shown in the TCPDump screenshot) from the network packet so it can be decompressed from the packetbeat output file
We noticed similar issues on stackoverflow that haven't been resolved:
Update on issue: We found that leaving decode_body: false and changing the codec.format we were able to get the compressed response.
codec.format:
string: '%{[http][response][body][content]}'
This example will return the payload as a string not in json so bytes above 0x7f are not replaced by the Unicode replacement character. When the output is consumed (to a file called output) it can be decompressed using following command:
zcat output