Dissection of specific protocol

[xNi-cOx]

Hello first of all many thanks for the project. It is exactly what I am looking for. I have a question about the dissector. I want to dissect the OPC UA protocol but it is not recognized by tshark. I know that wireshark has a working dissector for that protocol. So tshark should have one too, right? I also know that my captured packets contain OPC UA messages. Can I define a specific protocol for the dissector? What else can cause this behavior?

Here is a screenshot of my captures packets after the dissect command. As you can the see the opc ua part of the packet ist just RAW.DATA

I'd be happy to get some advice or an inspiration. Thanks.

[shramos]

Hi, I just tried the dissection of the OPC UA protocol with polymorph. I have generated my test environment with the following project: https://github.com/FreeOpcUa/python-opcua

I can confirm that Polymorph is capable of dissecting it:

As in this case Polymorph will use the Tshark dissectors to dissect this protocol, what happens to you means that Tshark/Wireshark has not been able to dissect it either (you can use the wireshark command from the interface where all the captured templates are found to open them with Wireshark) Based on my experience with other protocols, this may be due to several factors. The most obvious is that the protocol presents some type of security measure, such as encryption, that prevents the dissectors from interpreting it. The other possibility is a little less obvious, for some protocols the Wireshark dissectors need to capture the beginning of the communication to be able to correctly interpret and dissect the packets, in this way, if Wireshark is capturing when the connection starts, it will correctly interpret the protocol. However, if you put it to capture in the middle of a session, it will not be able to interpret and dissect the packets, this happens, for example, with the windows remote registry protocol. I do not know what your particular casuistry is, but I recommend that you try to put Polymorph to capture before starting the session between the client and the server to check if, in this way, the tool is able to interpret the packets correctly.

PD: If the packets do not present any kind of integrity or confidentiality measure, and, even so, tshark is not able to interpret them, and, therefore, neither polymorph. Another option is to generate the template from a test environment (like the one I used) and then use that template to intercept and modify the protocol packets in real time, since once the template is generated, Polymorph does not need the tshark dissectors to modify the packages in real time, because it performs an internal representation of this template.

[xNi-cOx]

Thank you very much for your answer. I was able to dissect the OPC UA protocol. The simulation server i used first seemes to do some encrpytion or signing even when i choosed the endpoint without security. I programmed my own server with the open62541 framework and it works. Now i encountered another challenge. i created a template for a write response packet. Moreover i have added a precondition and an execution rule. The packets are intercepted and modified with respect to my rules. But the server is not accepting the packets. i just change the value of the write request (changing string value for example). I looked into the manipulated packets with wireshark everything looks fine. The OPC UA Server is responding "write failed - Bad_Timeout". Do you maybe have an idea why this isnt working?

Here are some screens:

WriteRequest packet:

Precondition

Execution

The Wireshark packets with the "BAD" string:

In Packet 127 which is the write request i have a Byte in the WriteRequest packet i dont understand. It is called: "VSS-Monitoring ethernet trailer, Source Port: 0"

I tried the postcondition from the whitepaper too. I´m just started with the topic of packet manipulation. Would be greate if you can help. Thanks