This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, I'm new here. I've been using wireshark more and more recently to help with diagnose industrial automation protocol issues.

Currently, I'm running dumpcamp on a ring keeping 30days worth of data in 50M files. What I really need to do is find a way to trigger a notification if a certain type of packet is found during the live scan. This specific network is using Profinet. I'm looking for a precursor that tends to indicate the network is having issues. I find these precursor events with the PN_DCP filter in Wireshark.

How could I use some variation of the script above to alert upon seeing one of these frames? Would it be possible to create some sort of counter to indicate the amount of times a pn_dcp frame has been seen? Of course, I don't want to really launch notepad, but some other application that could be used as an alert to the problem. I tried run this script, but it doesn't seem to work. Am I doing something wrong?

    -- use display-filter syntax here
local _filter = '(pn_dcp) '

-- command to be executed for each packet
local _cmd = 'start C:\Users\Shawn\Desktop\test.bat'
local _run = io.popen

local function make_tap(filter)
    local tap = Listener.new(nil, filter)

    function tap.packet()
        _run(_cmd)
    end

    return tap
end

-- If not running from Wireshark, enable the tap immediately, then
-- abort, or else we'll get an error below for trying to do GUI 
-- stuff from the command line.
if not gui_enabled() then
    make_tap(_filter)
    return
end

local function make_win()
    local tap = nil
    local win = TextWindow.new("Watcher")

    local function remove_tap()
    if tap then tap:remove() end
        tap = nil
    end

    win:set("Press Start to begin watching")
    win:set_atclose(remove_tap)

    win:add_button("Start", function()
        if tap then
            report_failure("Already started")
            return
        end

        win:set("Watching for:\\n" .. _filter)
        tap = make_tap(_filter)
    end)

    win:add_button("Stop", function()
        if not tap then
            report_failure("Not started")
            return
        end

        remove_tap()
        win:set("Press Start to begin watching")
    end)

    return win
end

register_menu("Lua/Test", make_win, MENU_TOOLS_UNSORTED or 8)

The test.bat file is the following:

    @echo off
:: Ghost typer
setlocal enableextensions enabledelayedexpansion

set lines=6

set "line1=A re-establishment of"
set "line2=communications has been"
set "line3=detected by Wireshark."
set "line4=Please check the trace"
set "line5=files for any problems."
set "line6=Use the filter 'pn_dcp'"

for /f %%a in ('"prompt $H&for %%b in (1) do rem"') do set "BS=%%a"

for /L %%a in (1,1,%lines%) do set num=0&set "line=!line%%a!"&call :type

pause>nul
goto :EOF

:type
set "letter=!line:~%num%,1!"
set "delay=%random%%random%%random%%random%%random%%random%%random%"
set "delay=%delay:~-6%"
if not "%letter%"=="" set /p "=a%bs%%letter%" <nul

:: adjust the 3 in the line below: higher is faster typing speed

for /L %%b in (1,5,%delay%) do rem
if "%letter%"=="" echo.&goto :EOF
set /a num+=1
goto :type

Any help you may be able to offer would be greatly appreciated!

asked 29 Mar '17, 09:31

profiteam's gravatar image

profiteam
21225
accept rate: 0%

edited 29 Mar '17, 10:11

If you can figure out how to convert the "pn_dcp" display filter into a capture filter, then you might be able to make use of the dumpcap.bat file available for download on the Wireshark Tools wiki page. The batch file uses mailsend to send an e-mail notification when a particular event occurs (or when a certain number of those events occur). It does not work with display filters though, only capture filters.

(30 Mar '17, 07:12) cmaynard ♦♦

Alerting is usually best done with a deep packet inspection tool, e.g. an IDS. You can use Snort or Suricata to create a rule that triggers an alert an whatever pattern you need to look for. In your situation I'd probably go and install a capture PC with the SecurityOnion live distribution, which can capture full packet data while also matching Snort rules. That way you can check alerts for your custom pattern and then grab the relevant packets from the PCAPs. The only problem would be to define the pattern you are looking for, but depending on how complex it is, a Snort filter is probably not that hard to create.

permanent link

answered 30 Mar '17, 14:56

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×431
×31
×11
×7
×7

question asked: 29 Mar '17, 09:31

question was seen: 2,965 times

last updated: 30 Mar '17, 14:56

p​o​w​e​r​e​d by O​S​Q​A