What is SAP Dissection plug-in for Wireshark?
SAP Netweaver is a technology platform for building and integrating SAP business applications. Communication between components uses different network protocols. While some of them are standard and well-known protocols, others are proprietary and public information is not available.
This plugin provides dissection on SAP's NI and Diag protocols. The dissectors are based on information acquired while researching the SAP Diag protocol. Additional experimental support is included for SAP's Router and Remote Function Call (RFC) protocols.
SAP NI Protocol dissector
This is the dissector for SAP's Network Interface (NI) protocol. It handles the reassembly of fragmented TCP packets and identifies keep-alive messages (PING/PONG). It also calls the respective subdissector according to the port being used.
SAP Router Protocol dissector (experimental)
This dissector includes basic support for the SAP Router protocol, handling route and some error information packets.
SAP Diag Protocol dissector
The main dissector of the plugin. It dissects the main headers used by the Diag protocol: DP, Diag and Compression headers. The dissector also handles decompression of the payload data and includes dissection of relevant Diag payload items, including Support Bits and common APPL/APPL4 items. Wireshark's expert information capabilities are used to remark malformed or wrong packets. The dissector also calls the RFC subdissector when an embedded RFC call is found.
SAP RFC Protocol dissector (experimental)
This dissector performs some basic dissection on the main components of the RFC protocol. It dissects general items and does some basic reassembling and decompression of table contents.
- Sniffing sensitive information over unencrypted communications using SAP's network protocols.
- Security research and penetration testing.
- Troubleshooting and error identification.
SAP Wireshark dissector v0.1.3 MD5:ce2df9c434edec2e5b17027593a1d50c - (latest version)
SAP Wireshark dissector v0.1.2 MD5:1daa65a14aeb0444fdbb754f5cb9d009
SAP Wireshark dissector v0.1.1 MD5:af6aae47d6dd90f065237bb775dd4411
This plugin counts with the following main files:
- packet-sapprotocol.c: NI protocol dissector
- packet-saprouter.c: Router protocol dissector
- packet-sapdiag.c: Diag protocol dissector
- packet-saprfc.c: RFC protocol dissector
- saphelpers.h: header file for shared functions in Diag and RFC dissectors.
- sapdecompress.h, sapdecompress.cpp: compression functions wrappers
- hpa101saptype.h, hpa104CsObject.h, hpa105CsObjInt.h, hpa106cslzc.h, hpa107cslzh.h, vpa105CsObjInt.cpp, vpa106cslzc.cpp, vpa107cslzh.cpp, vpa108csulzh.cpp: LZH/LZC compression functions
The only requirement to build this plugin is a Wireshark (http://www.wireshark.org/) development environment. It's worth mentioning that compression libraries for SAP Diag/RFC protocol are originally written in C++, thus the entire plugin needs to be compiled for C++.
This wireshark plugin is distributed under the GPLv2 license. Check the COPYING file for more details.
This plugin was designed and developed by Martin Gallo from the Security Consulting Services team.
Whether you want to report a bug or give some suggestions on this package, drop us a few lines at firstname.lastname@example.org.
- SAP Dissection plugin for Wireshark
- Martín Gallo
- Release date
- License type