What is SAP Dissection plug-in for Wireshark?

SAP Netweaver [1] is a technology platform for building and integrating SAP business applications. Communication between components uses different network protocols. While some of them are standard and well-known protocols, other are proprietaries and public information is not available.

This plugin provides dissection on SAP's NI, Message Server, Router, Diag and Enqueue protocols. The dissectors are based on information acquired at researching the different protocols and services. Additional experimental support is included for SAP's RFC and SNC protocols. Detailed information about the research can be found at [2], [3], [4], [5] and [6].

[1] http://www.sap.com/platform/netweaver/index.epx
[2] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=SAP_Dissection_plu-gin_for_Wireshark
[3] http://www.coresecurity.com/content/sap-netweaver-dispatcher-multiple-vulnerabilities
[4] http://www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities
[5] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Uncovering_SAP_vulnerabilities
[6] http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=saps_network_protocols_revisited

Features decription

This plugin counts on several different dissectors:

- SAP NI Protocol dissector

This is the dissector for SAP's Network Interface (NI) protocol. The dissector handles the reassemble of fragmented TCP packets and identifies keep-alive messages (PING/PONG). It also calls the respective subdissector according to the port being used.

- SAP Router Protocol dissector

This dissector includes support for the SAP Router protocol, handling route, control messages and error information packets. The dissector also calls the SNC subdissector when SNC frames are found.

- SAP Diag Protocol dissector

The main dissector of the plugin. It dissects the main headers used by the Diag protocol: DP, Diag and Compression headers. The dissector also handles decompression of the payload data and includes dissection of relevant Diag payload items, including Support Bits and common APPL/APPL4 items. Wireshark's expert information capabilities are used to remark malformed or wrong packets. The dissector also calls the RFC subdissector when an embedded RFC call is found and the SNC subdissector when SNC frames are found.

- SAP Message Server Protocol dissector

This module dissects the packets used by SAP's Message Server Protocol.

- SAP Enqueue Protocol dissector

This module dissects packets used by SAP's Standalone Enqueue and Replication Servers.

- SAP RFC (Remote Function Call) Protocol dissector (experimental)

This dissector perform some basic dissection on the main components of the RFC protocol. It dissects general items and does some basic reassembling and decompression of table contents.

- SAP SNC (Secure Network Connection) Protocol dissector (experimental)

This dissector perform some basic parsing of SNC frames.

Use cases

Source Code

SAP Wireshark dissector v0.1.4 MD5:4175603eada655eb9c15daf797e33316 - (latest version)
SAP Wireshark dissector v0.1.3 MD5:ce2df9c434edec2e5b17027593a1d50c
SAP Wireshark dissector v0.1.2 MD5:1daa65a14aeb0444fdbb754f5cb9d009
SAP Wireshark dissector v0.1.1 MD5:af6aae47d6dd90f065237bb775dd4411

This plugin counts with the following main files:

- packet-sapdiag.c: Diag protocol dissector
- packet-sapenqueue.c: Enqueue Server protocol dissector
- packet-sapms.c: Message Server protocol dissector
- packet-sapprotocol.c: NI protocol dissector
- packet-saprfc.c: RFC protocol dissector
- packet-saprouter.c: Router protocol dissector
- packet-sapsnc.c: SNC Frames dissector
- sapdecompress.h, sapdecompress.cpp: compression functions wrappers
- saphelpers.h: header file for shared functions in Diag and RFC dissectors.
- hpa101saptype.h, hpa104CsObject.h, hpa105CsObjInt.h, hpa106cslzc.h, hpa107cslzh.h, vpa105CsObjInt.cpp, vpa106cslzc.cpp, vpa107cslzh.cpp, vpa108csulzh.cpp: LZH/LZC compression functions
- wireshark.patch: git patch for configuring the plugin build

Requirements

The only requirement to build this plugin is a Wireshark (http://www.wireshark.org/) development environment. It's worth mentioning that compression libraries for SAP Diag/RFC protocol are originally written in C++, thus the entire plugin needs to be compiled for C++.

Licensing

This wireshark plugin is distributed under the GPLv2 license. Check the COPYING file for more details.

Credits

This plugin was designed and developed by Martin Gallo from the Security Consulting Services team.

Contact Us

Whether you want to report a bug or give some suggestions on this package, drop us a few lines at oss@coresecurity.com.

Description

Title
SAP Dissection plugin for Wireshark
Authors
Martín Gallo
Release date
2012-07-29
License type
GPLv2.

Attachments

sap-wireshark-plugin-0.1.1.tar.gz - SAP Wireshark dissector v0.1.1 - MD5: af6aae47d6dd90f065237bb775dd4411
sap-wireshark-plugin-0.1.2.tar.gz - SAP Wireshark dissector v0.1.2 - MD5: 1daa65a14aeb0444fdbb754f5cb9d009
sap-wireshark-plugin-0.1.3.tar.gz - SAP Wireshark dissector v0.1.3 - MD5: ce2df9c434edec2e5b17027593a1d50c
sap-wireshark-plugin-0.1.4.tar.gz - SAP Wireshark dissector v0.1.4 - MD5: 4175603eada655eb9c15daf797e33316