not parsing Profinet Real-Time Protocol directly on ethernet frame

[mmguero]

@Thomislav cloned issue idaholab/Malcolm#61 on 2021-10-17:

Hello, i have PCAP files from tapping Profinet-Communication with wireshark/tshark. After Uploading it to Malcolm i mainly see S7Comm and cotp. The Documentation mentions zeek is able to parse Profinet but it doesn't work. see attached file.

In wireshark it says Profinet Real-Time Protocol thats directly on the Ethernet-Frame. see second file.

I havent found Data in the Elasticsearch database containing any ethernet information. Does zeek not parse ethernet information or am i doing something wrong?

[mmguero]

@mmguero commented on 2021-10-18:

Thanks for logging the issue. You're correct: at the moment, both traffic parsing engines in Malcolm (Arkime and Zeek) only parse traffic IP traffic, not anything directly on the ethernet frame.

Zeek v4.1 has just recently been released, which has a new packet framework which should allow for stuff like this. The next release of Malcolm will use Zeek v4.1, but that in and of itself won't automagically fix parsers like this. A colleague of mine is working on a new PROFINET parser to replace the Amazon one we're using right now. I'll reach out to him and see if this fits into what he's doing.

Is there a possibility you could attach a sample or obfuscated PCAP to this issue?

[mmguero]

@Thomislav commented on 2021-10-18:

Thank you for the quick reply. unfortunately i am not allowed to post such data. it is good to know that there could be such a function in the future.

[mmguero]

@mmguero commented on 2021-10-18:

No problem. For now I'll keep this issue open so we can track it, though it may not be resolved in the short term.