SAP Netweaver and SAP HANA are technology platforms for building and integrating SAP business applications. Communication between components uses different network protocols. While some of them are standard and well-known protocols, others are proprietaries and public information is not available.
This Wireshark plugin provides dissection of SAP’s NI, Message Server, Router, Diag, Enqueue, IGS and SNC protocols. The dissectors are based on information acquired at researching the different protocols and services. Additional experimental support is included for SAP’s RFC protocol. Detailed information about the research can be found in pysap’s documentation.
This plugin counts on several different dissectors:
- SAP NI Protocol dissectorThis is the dissector for SAP’s Network Interface (NI) protocol. The dissector handles the reassemble of fragmented TCP packets and identifies keep-alive messages (
PONG). It also calls the respective sub-dissector according to the port being used.
- SAP Router Protocol dissectorThis dissector includes support for the SAP Router protocol, handling route, control messages and error information packets. The dissector also calls the SNC sub-dissector when SNC frames are found.
- SAP Diag Protocol dissectorThe main dissector of the plugin. It dissects the main headers used by the Diag protocol: DP, Diag and Compression headers. The dissector also handles decompression of the payload data and includes dissection of relevant Diag payload items, including Support Bits and common
APPL4items. Wireshark’s expert information capabilities are used to remark malformed or wrong packets. The dissector also calls the RFC sub-dissector when an embedded RFC call is found and the SNC sub-dissector when SNC frames are found.
- SAP Message Server Protocol dissectorThis module dissects the packets used by SAP’s Message Server Protocol in its binary non-HTTP format, for both internal and external ports.
- SAP Enqueue Protocol dissectorThis module dissects packets used by SAP’s Standalone Enqueue and Replication Servers.
- SAP SNC (Secure Network Connection) Protocol dissectorThis dissector parses SNC frames and their fields. When the frames contains wrapped data that wasn’t encrypted, it allows calling dissectors to get access to the unwrapped data for further dissecting it, as the case of Diag dissector when SNC is used in authentication only or integrity protection quality of protection levels.
- SAP IGS (Internet Graphic Server) Protocol dissectorThis dissector parses packets used by SAP’s IGS services.
- SAP RFC (Remote Function Call) Protocol dissector (experimental)This dissector perform some basic dissection on the main components of the RFC protocol. It dissects general items and does some basic reassembling and decompression of table contents.
- You can check out trunk (development version) at https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark
- v0.8.1, released on March 20th, 2020 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.8.1.tar.gz
- v0.7.1, released on December 19th, 2019 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.7.1.tar.gz
- v0.6.1, released on July 12th, 2018 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.6.1.tar.gz
- v0.5.2, released on March 17th, 2018 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.5.2.tar.gz
- v0.5.1, released on October 25th, 2017 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.5.1.tar.gz
- v0.4.2, released on June 30th, 2017 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.4.2.tar.gz
- v0.4.1, released on December 30th, 2016 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.4.1.tar.gz
- v0.3.2, released on October 21st, 2016 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.3.2.tar.gz
- v0.3.1, released on March 25th, 2016 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.3.1.tar.gz
- v0.2.3, released on November 5th, 2015 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.2.3.tar.gz
- v0.2.2, released on June 26th, 2015 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.2.2.tar.gz
- v0.2.1, released on May 13th, 2015 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.2.1.tar.gz
- v0.1.5, released on January 16th, 2015 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.1.5.tar.gz
- v0.1.4, released on March 28th, 2014 – https://github.com/SecureAuthCorp/SAP-Dissection-plug-in-for-Wireshark/archive/v0.1.4.tar.gz
- v0.1.3, released on March 22nd, 2013 – attachment
- v0.1.2, released on September 27th, 2012 – attachment
- v0.1.1, released on July 29th, 2012 – attachment
- Installing: Installation instructions for several different operative systems are included and detailed in the project’s README file.
This Wireshark plugin is distributed under the GPLv2 license. Check the COPYING file for more details.