The other day I needed to quickly get the entire response being sent by a web server so I could get an understanding of why it was causing the browser so much trouble when trying to render it.
All I had at that moment was the netmon trace on the client side. I knew the entire response must be in there somewhere but it was spread across about 22,000 packets!
I know there are some smarter tools out there for doing this but what I came up with was to use my old favourite - Logparser:
logparser -i:NETMON "SELECT Payload INTO Response.htm FROM trace.cap WHERE Ack = 123456789" -o:TPL -tpl all.tpl
where 123456789 was the AcknowledgementNumber of the response which I got from the first packet of the response.
where all.tpl just contains this:
It's a bit quick and dirty and probably included the TCP payload header as well as the HTTP payload but it did the job.