This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I trigger an alert on specific frame captured during live scan?

0

Hello, I'm new here. I've been using wireshark more and more recently to help with diagnose industrial automation protocol issues.

Currently, I'm running dumpcamp on a ring keeping 30days worth of data in 50M files. What I really need to do is find a way to trigger a notification if a certain type of packet is found during the live scan. This specific network is using Profinet. I'm looking for a precursor that tends to indicate the network is having issues. I find these precursor events with the PN_DCP filter in Wireshark.

How could I use some variation of the script above to alert upon seeing one of these frames? Would it be possible to create some sort of counter to indicate the amount of times a pn_dcp frame has been seen? Of course, I don't want to really launch notepad, but some other application that could be used as an alert to the problem. I tried run this script, but it doesn't seem to work. Am I doing something wrong?

    -- use display-filter syntax here
local _filter = '(pn_dcp) '

– command to be executed for each packet local _cmd = 'start C:\Users\Shawn\Desktop\test.bat' local _run = io.popen

local function make_tap(filter) local tap = Listener.new(nil, filter)

function tap.packet()
    _run(_cmd)
end

return tap

end

– If not running from Wireshark, enable the tap immediately, then – abort, or else we'll get an error below for trying to do GUI – stuff from the command line. if not gui_enabled() then make_tap(_filter) return end

local function make_win() local tap = nil local win = TextWindow.new("Watcher")

local function remove_tap()
if tap then tap:remove() end
    tap = nil
end

win:set("Press Start to begin watching")
win:set_atclose(remove_tap)

win:add_button("Start", function()
    if tap then
        report_failure("Already started")
        return
    end

    win:set("Watching for:\\n" .. _filter)
    tap = make_tap(_filter)
end)

win:add_button("Stop", function()
    if not tap then
        report_failure("Not started")
        return
    end

    remove_tap()
    win:set("Press Start to begin watching")
end)

return win

end

register_menu("Lua/Test", make_win, MENU_TOOLS_UNSORTED or 8)

The test.bat file is the following:

    @echo off
:: Ghost typer
setlocal enableextensions enabledelayedexpansion

set lines=6

set "line1=A re-establishment of" set "line2=communications has been" set "line3=detected by Wireshark." set "line4=Please check the trace" set "line5=files for any problems." set "line6=Use the filter 'pn_dcp'"

for /f %%a in ('"prompt $H&for %%b in (1) do rem"') do set "BS=%%a"

for /L %%a in (1,1,%lines%) do set num=0&set "line=!line%%a!"&call :type

pause>nul goto :EOF

:type set "letter=!line:~%num%,1!" set "delay=%random%%random%%random%%random%%random%%random%%random%" set "delay=%delay:~-6%" if not "%letter%"=="" set /p "=a%bs%%letter%" <nul

:: adjust the 3 in the line below: higher is faster typing speed

for /L %%b in (1,5,%delay%) do rem if "%letter%"=="" echo.&goto :EOF set /a num+=1 goto :type

Any help you may be able to offer would be greatly appreciated!

asked 29 Mar ‘17, 09:31

profiteam's gravatar image

profiteam
21225
accept rate: 0%

edited 29 Mar ‘17, 10:11

If you can figure out how to convert the “pn_dcp” display filter into a capture filter, then you might be able to make use of the dumpcap.bat file available for download on the Wireshark Tools wiki page. The batch file uses mailsend to send an e-mail notification when a particular event occurs (or when a certain number of those events occur). It does not work with display filters though, only capture filters.

(30 Mar ‘17, 07:12) cmaynard ♦♦


One Answer:

0

Alerting is usually best done with a deep packet inspection tool, e.g. an IDS. You can use Snort or Suricata to create a rule that triggers an alert an whatever pattern you need to look for. In your situation I'd probably go and install a capture PC with the SecurityOnion live distribution, which can capture full packet data while also matching Snort rules. That way you can check alerts for your custom pattern and then grab the relevant packets from the PCAPs. The only problem would be to define the pattern you are looking for, but depending on how complex it is, a Snort filter is probably not that hard to create.

answered 30 Mar '17, 14:56

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%