SAP Dissection plug-in for Wireshark
SAP Netweaver  is a technology platform for building and integrating SAP business applications. Communication between components uses different network protocols. While some of them are standard and well-known protocols, other are proprietaries and public information is not available.
This plugin provides dissection on SAP's NI, Message Server, Router, Diag and Enqueue protocols. The dissectors are based on information acquired at researching the different protocols and services. Additional experimental support is included for SAP's RFC and SNC protocols. Detailed information about the research can be found at , , ,  and .
This plugin counts on several different dissectors:
- SAP NI Protocol dissector
This is the dissector for SAP's Network Interface (NI) protocol. The dissector handles the reassemble of fragmented TCP packets and identifies keep-alive messages (PING/PONG). It also calls the respective subdissector according to the port being used.
- SAP Router Protocol dissector
This dissector includes support for the SAP Router protocol, handling route, control messages and error information packets. The dissector also calls the SNC subdissector when SNC frames are found.
- SAP Diag Protocol dissector
The main dissector of the plugin. It dissects the main headers used by the Diag protocol: DP, Diag and Compression headers. The dissector also handles decompression of the payload data and includes dissection of relevant Diag payload items, including Support Bits and common APPL/APPL4 items. Wireshark's expert information capabilities are used to remark malformed or wrong packets. The dissector also calls the RFC subdissector when an embedded RFC call is found and the SNC subdissector when SNC frames are found.
- SAP Message Server Protocol dissector
This module dissects the packets used by SAP's Message Server Protocol.
- SAP Enqueue Protocol dissector
This module dissects packets used by SAP's Standalone Enqueue and Replication Servers.
- SAP RFC (Remote Function Call) Protocol dissector (experimental)
This dissector perform some basic dissection on the main components of the RFC protocol. It dissects general items and does some basic reassembling and decompression of table contents.
- SAP SNC (Secure Network Connection) Protocol dissector (experimental)
This dissector perform some basic parsing of SNC frames.
- Sniffing sensitive information over unencrypted communications using SAP's network protocols.
- Security research and penetration testing.
- Troubleshooting and error identification.
- You can download latest stable and development version at https://github.com/CoreSecurity/SAP-Dissection-plug-in-for-Wireshark
- SAP Wireshark dissector v0.1.4 MD5:4175603eada655eb9c15daf797e33316 - (latest version)
- SAP Wireshark dissector v0.1.3 MD5:ce2df9c434edec2e5b17027593a1d50c
- SAP Wireshark dissector v0.1.2 MD5:1daa65a14aeb0444fdbb754f5cb9d009
- SAP Wireshark dissector v0.1.1 MD5:af6aae47d6dd90f065237bb775dd4411
This plugin counts with the following main files:
- packet-sapdiag.c: Diag protocol dissector
- packet-sapenqueue.c: Enqueue Server protocol dissector
- packet-sapms.c: Message Server protocol dissector
- packet-sapprotocol.c: NI protocol dissector
- packet-saprfc.c: RFC protocol dissector
- packet-saprouter.c: Router protocol dissector
- packet-sapsnc.c: SNC Frames dissector
- sapdecompress.h, sapdecompress.cpp: compression functions wrappers
- saphelpers.h: header file for shared functions in Diag and RFC dissectors.
- hpa101saptype.h, hpa104CsObject.h, hpa105CsObjInt.h, hpa106cslzc.h, hpa107cslzh.h, vpa105CsObjInt.cpp, vpa106cslzc.cpp, vpa107cslzh.cpp, vpa108csulzh.cpp: LZH/LZC compression functions
- wireshark.patch: git patch for configuring the plugin build
The only requirement to build this plugin is a Wireshark (http://www.wireshark.org/) development environment. It's worth mentioning that compression libraries for SAP Diag/RFC protocol are originally written in C++, thus the entire plugin needs to be compiled for C++.
This wireshark plugin is distributed under the GPLv2 license. Check the COPYING file for more details.
This plugin was designed and developed by Martin Gallo from the Security Consulting Services team.
Whether you want to report a bug or give some suggestions on this package, drop us a few lines at firstname.lastname@example.org.
SAP Dissection plugin for Wireshark