How do I trigger an alert on specific frame captured during live scan?

Question

Hello, I'm new here. I've been using wireshark more and more recently to help with diagnose industrial automation protocol issues.

Currently, I'm running dumpcamp on a ring keeping 30days worth of data in 50M files. What I really need to do is find a way to trigger a notification if a certain type of packet is found during the live scan. This specific network is using Profinet. I'm looking for a precursor that tends to indicate the network is having issues. I find these precursor events with the PN_DCP filter in Wireshark.

How could I use some variation of the script above to alert upon seeing one of these frames? Would it be possible to create some sort of counter to indicate the amount of times a pn_dcp frame has been seen? Of course, I don't want to really launch notepad, but some other application that could be used as an alert to the problem. I tried run this script, but it doesn't seem to work. Am I doing something wrong?

    -- use display-filter syntax here
local _filter = '(pn_dcp) '
– command to be executed for each packet
local _cmd = 'start C:\Users\Shawn\Desktop\test.bat'
local _run = io.popen
local function make_tap(filter)
local tap = Listener.new(nil, filter)
function tap.packet()
    _run(_cmd)
end

return tap

end
– If not running from Wireshark, enable the tap immediately, then
– abort, or else we'll get an error below for trying to do GUI
– stuff from the command line.
if not gui_enabled() then
make_tap(_filter)
return
end
local function make_win()
local tap = nil
local win = TextWindow.new("Watcher")
local function remove_tap()
if tap then tap:remove() end
    tap = nil
end

win:set(&quot;Press Start to begin watching&quot;)
win:set_atclose(remove_tap)

win:add_button(&quot;Start&quot;, function()
    if tap then
        report_failure(&quot;Already started&quot;)
        return
    end

    win:set(&quot;Watching for:\\n&quot; .. _filter)
    tap = make_tap(_filter)
end)

win:add_button(&quot;Stop&quot;, function()
    if not tap then
        report_failure(&quot;Not started&quot;)
        return
    end

    remove_tap()
    win:set(&quot;Press Start to begin watching&quot;)
end)

return win

end
register_menu("Lua/Test", make_win, MENU_TOOLS_UNSORTED or 8)

The test.bat file is the following:

    @echo off
:: Ghost typer
setlocal enableextensions enabledelayedexpansion
set lines=6
set "line1=A re-establishment of"
set "line2=communications has been"
set "line3=detected by Wireshark."
set "line4=Please check the trace"
set "line5=files for any problems."
set "line6=Use the filter 'pn_dcp'"
for /f %%a in ('"prompt $H&for %%b in (1) do rem"') do set "BS=%%a"
for /L %%a in (1,1,%lines%) do set num=0&set "line=!line%%a!"&call :type
pause>nul
goto :EOF
:type
set "letter=!line:~%num%,1!"
set "delay=%random%%random%%random%%random%%random%%random%%random%"
set "delay=%delay:~-6%"
if not "%letter%"=="" set /p "=a%bs%%letter%" <nul
:: adjust the 3 in the line below: higher is faster typing speed
for /L %%b in (1,5,%delay%) do rem
if "%letter%"=="" echo.&goto :EOF
set /a num+=1
goto :type

Any help you may be able to offer would be greatly appreciated!

Answer 1

Alerting is usually best done with a deep packet inspection tool, e.g. an IDS. You can use Snort or Suricata to create a rule that triggers an alert an whatever pattern you need to look for. In your situation I'd probably go and install a capture PC with the SecurityOnion live distribution, which can capture full packet data while also matching Snort rules. That way you can check alerts for your custom pattern and then grab the relevant packets from the PCAPs. The only problem would be to define the pattern you are looking for, but depending on how complex it is, a Snort filter is probably not that hard to create.