Message coloring FengShui

Added WireShark LUA and coloring schema for CAN-ETH-GW and AE messages

resources/WireShark_CAN_ETH_GW.lua

@@ -0,0 +1,79 @@
+-- ###############################################################
+-- Custom UDP Dissector für dein CAN-over-UDP-Gateway
+-- ###############################################################
+
+local myudp_proto = Proto("ICSG_CAN-ETH", "ICSG CAN-ETH-GW - UDP Stream")
+
+-- Felddefinitionen
+local f_arbid  = ProtoField.uint32("myudp.arbid", "Arbitration ID", base.HEX)
+local f_len    = ProtoField.uint8("myudp.len", "Length")
+local f_data   = ProtoField.bytes("myudp.data", "Data Bytes")
+local f_fd     = ProtoField.bool("myudp.fd", "FD")
+local f_xtd    = ProtoField.bool("myudp.xtd", "XTD")
+local f_remote = ProtoField.bool("myudp.remote", "Remote")
+local f_brs    = ProtoField.bool("myudp.brs", "BRS")
+
+myudp_proto.fields = { f_arbid, f_len, f_data, f_fd, f_xtd, f_remote, f_brs }
+
+function myudp_proto.dissector(buffer, pinfo, tree)
+    local port = pinfo.src_port
+    local payload_len = buffer:len()
+
+    -- Datenlänge abhängig vom Port
+    local data_len = 0
+    if port == 60001 or port == 60002 then
+        data_len = 8
+    elseif port == 60003 or port == 60004 then
+        data_len = 64
+    else
+        return
+    end
+
+    pinfo.cols.protocol = "ICSG_CAN-ETH"
+    local subtree = tree:add(myudp_proto, buffer(), "ICSG CAN on UDP Stream")
+
+    -- Offsets ab UDP-Payload
+    local off_arbid = 0
+    local off_len   = 4
+    local off_data  = 5
+    local off_bits  = off_data + data_len
+
+    -- Sicherheitsprüfung: Buffer-Länge prüfen
+    if payload_len < off_bits + 1 then
+        subtree:add_expert_info(PI_MALFORMED, PI_ERROR, "Packet too short for expected fields")
+        return
+    end
+
+    -- Felder nur hinzufügen, wenn genug Daten vorhanden sind
+    if payload_len >= off_arbid + 4 then
+        subtree:add(f_arbid, buffer(off_arbid,4))
+    end
+
+    if payload_len >= off_len + 1 then
+        subtree:add(f_len, buffer(off_len,1))
+    end
+
+    if payload_len >= off_data + data_len then
+        subtree:add(f_data, buffer(off_data, data_len))
+    end
+
+    if payload_len >= off_bits + 1 then
+        local bitfield = buffer(off_bits,1):uint()
+        local b_fd     = bit32.band(bitfield, 0x01) ~= 0
+        local b_xtd    = bit32.band(bitfield, 0x02) ~= 0
+        local b_remote = bit32.band(bitfield, 0x04) ~= 0
+        local b_brs    = bit32.band(bitfield, 0x08) ~= 0
+
+        subtree:add(f_fd, b_fd)
+        subtree:add(f_xtd, b_xtd)
+        subtree:add(f_remote, b_remote)
+        subtree:add(f_brs, b_brs)
+    end
+end
+
+-- UDP-Ports registrieren
+local udp_table = DissectorTable.get("udp.port")
+udp_table:add(60001, myudp_proto)
+udp_table:add(60002, myudp_proto)
+udp_table:add(60003, myudp_proto)
+udp_table:add(60004, myudp_proto)

resources/WireShark_MessageColoring

@@ -0,0 +1,25 @@
+# This file was created by Wireshark. Edit with care.
+@Tapped_AE@ip.src== 192.168.55.2@[21845,65535,32639][0,0,0]
+@Intrepid@eth.type == 0xcab2@[0,65535,65535][0,0,65535]
+@ICSG_CAN_ETH_GW@ip.src == 10.0.0.1@[65535,43690,0][65535,65535,65535]
+!@Bad TCP@tcp.analysis.flags && !tcp.analysis.window_update && !tcp.analysis.keep_alive && !tcp.analysis.keep_alive_ack@[4626,10023,11822][63479,34695,34695]
+!@HSRP State Change@hsrp.state != 8 && hsrp.state != 16@[4626,10023,11822][65535,64764,40092]
+!@Spanning Tree Topology  Change@stp.type == 0x80@[4626,10023,11822][65535,64764,40092]
+!@OSPF State Change@ospf.msg != 1@[4626,10023,11822][65535,64764,40092]
+!@ICMP errors@icmp.type in { 3..5, 11 } || icmpv6.type in { 1..4 }@[4626,10023,11822][47031,63479,29812]
+!@ARP@arp@[64250,61680,55255][4626,10023,11822]
+!@ICMP@icmp || icmpv6@[64764,57568,65535][4626,10023,11822]
+!@TCP RST@tcp.flags.reset eq 1@[42148,0,0][65535,64764,40092]
+!@SCTP ABORT@sctp.chunk_type eq ABORT@[42148,0,0][65535,64764,40092]
+!@IPv4 TTL low or unexpected@(ip.dst != 224.0.0.0/4 && ip.ttl < 5 && !(pim || ospf || eigrp || bgp || tcp.port==179)) || (ip.dst == 224.0.0.0/24 && ip.dst != 224.0.0.251 && ip.ttl != 1 && !(vrrp || carp || eigrp || rip || glbp))@[42148,0,0][60652,61680,60395]
+!@IPv6 hop limit low or unexpected@(ipv6.dst != ff00::/8 && ipv6.hlim < 5 && !( ospf|| bgp || tcp.port==179)) || (ipv6.dst==ff00::/8 && ipv6.hlim not in {1, 64, 255})@[42148,0,0][60652,61680,60395]
+!@Checksum Errors@eth.fcs.status=="Bad" || ip.checksum.status=="Bad" || tcp.checksum.status=="Bad" || udp.checksum.status=="Bad" || sctp.checksum.status=="Bad" || mstp.checksum.status=="Bad" || cdp.checksum.status=="Bad" || edp.checksum.status=="Bad" || wlan.fcs.status=="Bad" || stt.checksum.status=="Bad"@[4626,10023,11822][63479,34695,34695]
+!@SMB@smb || nbss || nbns || netbios@[65278,65535,53456][4626,10023,11822]
+!@HTTP@http || tcp.port == 80 || http2@[58596,65535,51143][4626,10023,11822]
+!@DCERPC@dcerpc@[51143,38807,65535][4626,10023,11822]
+!@Routing@hsrp || eigrp || ospf || bgp || cdp || vrrp || carp || gvrp || igmp || ismp@[65535,62451,54998][4626,10023,11822]
+!@TCP SYN/FIN@tcp.flags & 0x02 || tcp.flags.fin == 1@[41120,41120,41120][4626,10023,11822]
+!@TCP@tcp@[59367,59110,65535][4626,10023,11822]
+!@UDP@udp@[56026,61166,65535][4626,10023,11822]
+!@Broadcast@eth[0] & 1@[65535,65535,65535][47802,48573,46774]
+!@System Event@systemd_journal || sysdig@[59110,59110,59110][11565,28527,39578]