Capturing Profisafe packets using Lua Wireshark dissector - lua

I am writing a Lua script to capture profisafe packets on wireshark.It is above the profinet layer in the stack.The wireshark dissect the profinet packets but does not dissect the profisafe.
For other protocols built on tcp or udp protocol one can do something like
local tcp_port = Dissector.get("tcp.port")
tcp_port:add(1234,foo_protocol)
to capture the packets that arises and received by the port 1234.
But profisafe is built on profinet and does not contain tcp or udp as the underlying layer.How to capture the packets in this case? I tried giving ethernet frame address in the place of port name but it did not work.

Use the menu Edit, Preferences, Protocols and search for PNIO:
PNIO options
Then select the checkbox "Enable detailed PROFIsafe dissection" and define a directory, where the GSDML file of the PROFIsafe device is located.

Related

Wireshark display filter for Protocol != 802.11

I've set Wireshark's capture filter set to capture only packets from the MAC address of interest, but the result is dominated by zillions of packets whose Protocol is "802.11". I want to view all of the packets that are NOT 802.11, e.g. ARP, DCHP, DNS, TCP, etc.
For example, in the following, I'd like to hide all of the 802.11 packets and show the DHCP packets (and any others that are NOT 802.11):
I tried "wlan.fc.type != 0", but clearly that's not correct. What's the magic keyword for such a filter?
update
#ChristopherMaynard's comment is close, and I now understand that a simple filter of:
ip
is almost what I want, but it fails to display packets of type ARP, EAPOL, LLC, MDP and perhaps others.
[Converted comment to answer and added an alternate solution while I'm at it.]
If you just want data frames but those without un-dissected data (which would still show 802.11 in the Protocol column), then you could try wlan.fc.type == 2 and !data. Or you could try !(frame.protocols == "radiotap:wlan_radio:wlan:data" or frame.protocols == "radiotap:wlan_radio:wlan").
Another alternative is to download the filtcols.lua script written by Chuck Craft, save it to your plugins directory (Wireshark: Help -> About Wireshark -> Folders -> Personal Lua Plugins), the [re]start Wireshark. Now you can apply a display filter such as wlan and !(filtcols.protocol == "802.11").

Detection of Ethernet Protocol

I know Ethernet has a EthernetType bit and that is 2 byte which ethernet protocol can we find. But I am looking for this question: I have two devices and they communicate between X ethernet protocol. I said to that talk with Profinet ethernet protocol. But how can i proof that type by officially unlike the first thing I said.Is there a software that does this ?
The EtherType field identifies the payload protocol, not the Ethernet protocol (as there's only a single Ethernet data link layer). The EtherType enables the system's interface handler to pass those frames to the according network stack.
E.g. IPv4 uses an EtherType of 0x0800, PROFINET uses 0x8892. So, frames with those EtherType values are passed to the appropriate, registered handler. When a frame with an unknown (unregistered) EtherType is received the frame is simply ignored.

How to get Protocol column value in Wireshark dissector?

I have wrote a plugin to analyze (translate to different Protocol name) packet in Wireshark with LUA APIs. All I needed to do to only analyze packets that shows UDP or TCP in Wireshark. I am using that following code to get protocol value:
pinfo.cols.protocol
to only analyze the packets that will show as TCP or UDP in Protocol column.
Sometime it retrains the value that is in Protocol column (e.g. TCP, SSH, or ...) but most of the time it returns "(protocol)".
How can I fix it? Is there any way possible that I can figure it out?
Thanks

Can we have two simultaneous udp streams between 2 specific pairs of IPs and Ports?

I'm trying to inspect and analyze my network traffic. Suddenly I found something confusing. I was thought that packets are splited to streams based on their (SRC_IP, DES_IP, SRC_PORT, SRC_PORT , PROTOCOL_NUM). But now I found two groups of packets with equal above features but interpreted as two different streams in Wireshark:
As you see below, the RTP packets with even packet numbers are a single stream and the RTP packets with odd packet number are another stream, while both has equal (SRC_IP, DES_IP, SRC_PORT, SRC_PORT , PROTOCOL_NUM). Why?
To compare the statistics:
They are interpreted as two different streams:
You are just looking at the UDP traffic from either direction. UDP stream 2 is from 192.168.1.162 to 192.168.1.159 and UDP stream 3 is from 192.168.1.159 to 192.168.1.162.
While there are two UDP streams, there is only one RTP session. This is because the RFC protocol states that you cannot multiplex on the same port. From RTP RFC Section 5.2.
In RTP, multiplexing is provided by the destination transport address
(network address and port number) which is different for each RTP session.
So, yes there are two simultaneous UDP streams, but it is just both hosts talking to each other during a RTP session.

Finding the direction of packets while sniffing

I want to have a list of source IP addresses of an interface outbound traffic. How could I find the direction of a packet whether it's inbound or outbound reading traffic using libpcap? I don't know the subnet information of either side. And there are clients/servers on both sides, so I can't rely on port number ranges to filter traffic.
Why there is no information in libpcap packet header about direction, or filter option like inbound in pcap-filter?
Netsniff-NG, while not relying on libpcap, supports Linux kernel packet type extensions.
They're documented
here
One of the packet types is outgoing and commented as "outgoing of any type".
The following example will capture all packets leaving your interface.
$ netsniff-ng --in eth0 --out outgoing.pcap --type outgoing
Using this you can utilize other command-line tools to read the PCAP file and pull out all the source
addresses. Maybe something *nix-ey like this:
$ tcpdump -nnr outgoing.pcap | cut -d " " -f3 | cut -d . -f1-4
Note: I haven't tried this on a router.
you could use "ether src" or "ether dst" to filter packet direction. This require you to know the mac address of the interface.
You can select a direction that packets will be capture calling pcap_setdirection() before pcap_loop().
For example, to capture incoming packets only you need to write:
handle = pcap_open_live("eth0", 65535, 1, 0, errbuf);
pcap_setdirection(handle, PCAP_D_IN);
pcap_loop(handle, -1, process_packet, NULL);
Possible directions are: PCAP_D_IN, PCAP_D_OUT, PCAP_D_INOUT.
See tcpdump.org/manpages/pcap_setdirection.3pcap.txt
The PCAP file format does not contain a field that holds the interface used during the capture. With that said, the newer PCAP-NG file format, currently used by Wireshark & Tshark, supports it along with packet direction.
Existing pcap-ng features:
packet dropped count
annotations (comments)
local IP address
interface & direction
hostname <-> IP address database
PcapNg
It sounds like you're capturing from a router or firewall so something like the following
would not work.
ip src 192.168.1.1
Capturing the traffic into flows may be an option but it still will not provide you with direction information. Though, you will be able to determine the source and destinations address easily. If you have an existing pcap you can convert it to the ARGUS format:
argus -r capture.pcap -w capture.argus
ra -nnr capture.argus
Other tools, some w/ examples, that can easily obtain end-points/hosts are:
ntop -f capture.pcap
tcpprof -nr capture.pcap
Wireshark Endpoints
flow-tools
You'll have to parse out the information you want, but I don't think that's too much trouble. I recommend taking a look at PCAP-NG if you can't work with this.

Resources