{"id":13774601,"url":"https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark","last_synced_at":"2025-05-11T06:33:22.283Z","repository":{"id":15411365,"uuid":"18143452","full_name":"SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark","owner":"SecureAuthCorp","description":"This Wireshark plugin provides dissection of SAP's NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols.","archived":false,"fork":false,"pushed_at":"2022-11-11T03:26:50.000Z","size":1608,"stargazers_count":106,"open_issues_count":0,"forks_count":38,"subscribers_count":24,"default_branch":"master","last_synced_at":"2024-11-17T09:39:32.026Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://www.secureauth.com/labs/open-source-tools/sap-dissection-plug-in-for-wireshark/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/SecureAuthCorp.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog.md","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null}},"created_at":"2014-03-26T15:38:58.000Z","updated_at":"2024-08-12T19:23:35.000Z","dependencies_parsed_at":"2023-01-11T20:23:17.746Z","dependency_job_id":null,"html_url":"https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureAuthCorp%2FSAP-Dissection-plug-in-for-Wireshark","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureAuthCorp%2FSAP-Dissection-plug-in-for-Wireshark/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureAuthCorp%2FSAP-Dissection-plug-in-for-Wireshark/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/SecureAuthCorp%2FSAP-Dissection-plug-in-for-Wireshark/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/SecureAuthCorp","download_url":"https://codeload.github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253528415,"owners_count":21922623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-03T17:01:28.491Z","updated_at":"2025-05-11T06:33:21.602Z","avatar_url":"https://github.com/SecureAuthCorp.png","language":"C","funding_links":[],"categories":["\u003ca id=\"6fa0e0d1f898fba299b2566a33602841\"\u003e\u003c/a\u003eWireshark"],"sub_categories":[],"readme":"SAP Dissector Plugin for Wireshark\n==================================\n\n:warning: This project is currently archived\n\n:information_source: The code was contributed by SecureAuth to the [main Wireshark project](https://www.wireshark.org/). Further\ndevelopment of the SAP protocols dissectors can be followed in [Wireshark' Gitlab repository](https://gitlab.com/wireshark/wireshark/).\n\n---\n\n[![Build and test Ubuntu plug-in](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/workflows/Build%20and%20test%20Ubuntu%20plug-in/badge.svg)](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/actions?query=workflow%3A%22Build+and+test+Ubuntu+plug-in%22)\n[![Build and test MacOS plug-in](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/workflows/Build%20and%20test%20MacOS%20plug-in/badge.svg)](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/actions?query=workflow%3A%22Build+and+test+MacOS+plug-in%22)\n[![Build and test Windows plug-in](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/workflows/Build%20and%20test%20Windows%20plug-in/badge.svg)](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/actions?query=workflow%3A%22Build+and+test+Windows+plug-in%22)\n\nSECUREAUTH LABS. Copyright (C) 2022 SecureAuth Corporation. All rights reserved.\n\nVersion 0.10.1.dev0 (XXX 2022)\n\n\nOverview\n--------\n\n[SAP Netweaver](https://www.sap.com/platform/netweaver/index.epx) and\n[SAP HANA](https://www.sap.com/products/hana.html) are technology platforms for\nbuilding and integrating SAP business applications. Communication between components\nuses different network protocols. While some of them are standard and well-known\nprotocols, others are proprietaries and public information is not available.\n\nThis [Wireshark](https://www.wireshark.org/) plugin provides dissection\nof SAP's NI, Message Server, Router, Diag, Enqueue, IGS, SNC and HDB protocols.\nThe dissectors are based on information acquired at researching the different\nprotocols and services. Additional experimental support is included for SAP's\nRFC protocol. Detailed information about the research can be found in\n[pysap's documentation](https://pysap.readthedocs.io/en/latest/user/index.html#references).\n\n\nFeatures\n--------\n\nThis plugin counts on several dissectors:\n\n- SAP NI Protocol dissector\n\n    This is the dissector for SAP's Network Interface (NI) protocol. The\n    dissector handles reassembling of fragmented TCP packets and identifies\n    keep-alive messages (`PING`/`PONG`). It also calls the respective\n    sub-dissector according to the port being used.\n\n- SAP Router Protocol dissector\n\n    This dissector includes support for the SAP Router protocol, handling route,\n    control messages and error information packets. The dissector also calls\n    the SNC sub-dissector when SNC frames are found.\n\n- SAP Diag Protocol dissector\n\n    The main dissector of the plugin. It dissects the main headers used by the\n    Diag protocol: DP, Diag and Compression headers. The dissector also handles\n    decompression of the payload data and includes dissection of relevant Diag\n    payload items, including Support Bits and common `APPL`/`APPL4` items.\n    Wireshark's expert information capabilities are used to remark malformed or\n    wrong packets. The dissector also calls the RFC sub-dissector when an\n    embedded RFC call is found, and the SNC sub-dissector when SNC frames are\n    found.\n\n- SAP Message Server Protocol dissector\n\n    This module dissects the packets used by SAP's Message Server Protocol in\n    its binary non-HTTP format, for both internal and external ports.\n\n- SAP Enqueue Protocol dissector\n\n    This module dissects packets used by SAP's Standalone Enqueue and\n    Replication Servers.\n\n- SAP SNC (Secure Network Connection) Protocol dissector\n\n\tThis dissector parses SNC frames and their fields. When the frames contain\n\twrapped data that wasn't encrypted, it allows calling dissectors to get\n\taccess to the unwrapped data for further dissecting it, as the case of Diag\n\tdissector when SNC is used in authentication only or integrity protection\n\tquality of protection levels.\n\n- SAP IGS (Internet Graphic Server) Protocol dissector\n\n\tThis dissector parses packets used by SAP's IGS services.\n\n- SAP HDB (HANA SQL Command Network) Protocol dissector\n\n    This dissector parses HANA SQL Command Network Protocol packets. It supports\n    HDB over TLS with the form of a \"Decode as\" dissector. The main Part Kind\n    formats used during the authentication and initialization of the connections\n    are supported, but others are still missing. Decompression of compressed\n    packets is not yet supported.\n\n- SAP RFC (Remote Function Call) Protocol dissector (experimental)\n\n\tThis dissector performs some basic dissection on the main components of the\n\tRFC protocol. It dissects general items and does some basic reassembling\n\tand decompression of table contents.\n\n\nInstallation \u0026 Build\n--------------------\n\nThis Wireshark plugin is not distributed as part of the Wireshark source. It\ncan be built as a standalone plugin, or as part of Wireshark, and is compatible\nwith version 3.6.\n\nA comprehensive guide of how to compile and install the dissector in Ubuntu and\nmacOS has been published as a [blog post in SAP's community](https://blogs.sap.com/2022/06/12/wireshark-with-sap-dissectors-for-ubuntu-and-macos/).\nA more  brief guide is provided below.\n\n\n### Installing on Linux ###\n\n#### As a standalone plugin ####\n\nTo build and install the plugin on Debian/Ubuntu linux distributions:\n\n    sudo add-apt-repository ppa:wireshark-dev/stable -y\n    sudo apt-get update\n    sudo apt-get install wireshark wireshark-dev\n    git clone https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/\n    cd SAP-Dissection-plug-in-for-Wireshark/\n    mkdir build\n    cd build\n    cmake ..\n    make\n    make install\n\n#### As part of Wireshark ####\n\nThe following steps are required to build and install the plugin as part of Wireshark:\n\n1) Download and decompress the [Wireshark version 3.6 source](https://www.wireshark.org/download.html)\n   or checkout the code from the [source repository](https://gitlab.com/wireshark/wireshark).\n\n    ```\n    git clone https://gitlab.com/wireshark/wireshark\n    cd wireshark\n    git checkout release-3.6\n    ```\n\n2) Copy the SAP Wireshark Plugin to a new `plugins/epan/sap` directory.\n\n    ```\n    git clone https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/ plugins/epan/sap\n    ```\n\n3) Configure the plugin to be included in the build process. This step can be\n   performed using the patch file provided. At the root directory run:\n\n    ```\n    git apply plugins/epan/sap/wireshark-release-3.6.patch\n    ```\n\n4) Perform a new build including the plugin. At the root directory run:\n\n    ```\n    mkdir -p build\n    cd build\n    cmake ..\n    make\n    sudo make install\n    ```\n\n\n#### Using Vagrant ####\n\n[Vagrant](https://www.vagrantup.com/) is a Virtual Machine management software\nthat allows creating reproducible virtual machines. In order to make it easier\nto compile and test the plugin, a pre-configured Vagrantfile is provided for\nusing it with Vagrant 1.8. The Vagrantfile provided with the plugin is configured\nto use [VirtualBox](https://www.virtualbox.org/) and perform a build of the\nplugin inside a Ubuntu 18.04 distribution.\n\nTwo machines are provided to build the plugin:\n\n* `source`: for building the plugin as part of Wireshark.\n* `standalone`: for building the plugin as a standalone plugin.\n\nThe following steps can be used to setup a Vagrant machine and build the plugin:\n\n1) Install VirtualBox and Vagrant 1.8 or greater.\n\n    ```\n    sudo apt-get install virtualbox vagrant\n    ```\n\n2) Inside the plugin's directory, launch the desired Vagrant machine, in this\ncase `standalone`:\n\n    ```\n    vagrant up standalone\n    ```\n\n3) Login into the Vagrant machine and run Wireshark:\n\n    ```\n    vagrant ssh standalone\n    wireshark\n    ```\n\n\n### Installing on Windows ###\n\nWindows build can be only performed as part of the whole Wireshark. The\nfollowing steps are required to compile the plugin on Windows:\n\n1) Follow the [step-to-step guide](https://www.wireshark.org/docs/wsdg_html_chunked/ChSetupWin32.html)\nfor building Wireshark on Windows.\n\n2) Copy the SAP Wireshark Plugin to a new `plugins/epan/sap` directory.\n\n3) Configure the plugin to be included in the build process. This step can be\n   performed using the patch file provided. At the root directory run:\n\n    ```\n    git apply plugins/epan/sap/wireshark-release-3.6.patch\n    ```\n\n4) Perform a new build including the plugin.\n\n\n### Installing on OSX ###\n\nThe build process for OSX is similar to the one for Linux systems. It was\nreported that compiling Wireshark on OSX requires fixing link for the `gettext`\nlibrary if it was installed using `homebrew`.\n\n\n### Penetration testing distribution and frameworks ###\n\nThe plugin is available for installation on several penetration testing\ndistributions and frameworks.\n\n#### Installing on Pentoo ####\n\nInstallation on the [Pentoo](http://www.pentoo.ch/) livecd distribution:\n\n    emerge net-misc/wireshark-sap-plugin\n\n#### Installing with The PenTesters Framework (PTF) ####\n\nInstallation on Debian, Ubuntu and ArchLinux can be performed using\n[The PenTesters Framework (PTF)](https://github.com/trustedsec/ptf). From inside\nthe `ptf` command-line, run:\n\n    use modules/intelligence-gathering/sap-wireshark-plugin\n    install\n\n\n### Using Docker ###\n\n[jbelamor](https://github.com/jbelamor/) built a docker container for compiling and setting up the plugin. Check it out at\n[docker_wireshark_sap_plugin](https://github.com/jbelamor/docker_wireshark_sap_plugin).\n\n\n### Additional notes ###\n\nIt's worth mentioning that compression libraries for SAP Diag/RFC protocol are\noriginally written in C++, thus the entire plugin needs to be compiled for C++.\nSee [Wireshark's portability notes](https://gitlab.com/wireshark/wireshark/-/blob/release-3.6/doc/README.developer)\nfor more information.\n\n\nUsage\n-----\n\n### Traffic dissection ###\n\nAfter the plugin is installed, it will automatically dissect SAP protocols'\ntraffic if using default ports. If required, ports can be modified on SAP NI\nprotocol as well as sub-dissectors' preferences.\n\n![SAP NI preferences](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/raw/master/docs/sapni_preferences.png \"SAP NI preferences\")\n\n![SAP Diag preferences](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/raw/master/docs/sapdiag_preferences.png \"SAP Diag preferences\")\n\n\n### SAP Diag Gui Logon Password filter ###\n\n`DYNT_ATOM` items contains data entered into screen fields. The following\nfilter could be used for identifying packets containing fields marked as\n\"invisible\" (fields that are masked in the SAP GUI screen) in search for\nsensitive data. Early packets in a Diag session probably contains values for\nuser id and password fields.\n\n    sapdiag.item.value.dyntatom.item.attr.INVISIBLE == 1\n\nThe same results can be achieved also using expert info (security group):\n\n    sapdiag.item.value.dyntatom.item.password\n\n![SAP Diag login password](https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/raw/master/docs/sapdiag_login_password.png \"SAP Diag login password\")\n\n\nLicense\n-------\n\nThis Wireshark plugin is distributed under the GPLv2 license. Check the `COPYING`\nfile for more details.\n\n\nAuthors\n-------\n\nThe library was designed and developed by Martin Gallo from [SecureAuth's Innovation\nLabs](https://www.secureauth.com/labs/) team, with the help of many contributors.\n\n### Contributors ###\n\nContributions made by:\n\n* Joris van de Vis ([@jvis](https://twitter.com/jvis))\n* Anton Bolshakov ([@blshkv](https://github.com/blshkv))\n* Valeriy Gusev\n* Daniel Berlin ([@daberlin](https://github.com/daberlin))\n* Victor Portal Gonzalez\n* Dave Hartley ([@nmonkee](https://twitter.com/nmonkee))\n* Jean-Paul Roliers\n* Dongha Shin\n* Luca Di Stefano\n* Alexis La Goutte ([@alagoutte](https://github.com/alagoutte))\n* Yvan Genuer ([@iggy38](https://github.com/iggy38))\n* Mathieu Geli ([@gelim](https://github.com/gelim))\n* Dylan Drummond ([@dmurmelsson](https://github.com/murmelsson))\n\n\nDisclaimer\n----------\n\nThe spirit of this Open Source initiative is to help security researchers,\nand the community, speed up research and educational activities related to\nthe implementation of networking protocols and stacks.\n\nThe information in this repository is for research and educational purposes\nand not meant to be used in production environments and/or as part\nof commercial products.\n\nIf you desire to use this code or some part of it for your own uses, we\nrecommend applying proper security development life cycle and secure coding\npractices, as well as generate and track the respective indicators of\ncompromise according to your needs.\n\n\nContact Us\n----------\n\nWhether you want to report a bug, send a patch, or give some suggestions\non this package, drop us a few lines at oss@secureauth.com.\n\nFor security-related questions check our [security policy](SECURITY.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSecureAuthCorp%2FSAP-Dissection-plug-in-for-Wireshark","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FSecureAuthCorp%2FSAP-Dissection-plug-in-for-Wireshark","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FSecureAuthCorp%2FSAP-Dissection-plug-in-for-Wireshark/lists"}