SAP Decom

The SAP DIAG (Dynamic Information and Action Gateway) protocol is used for SAP GUI to SAP Server (Dispatcher and Message Server) communications.

It is a clear text protocol and by default is configured as such. There are several tools available to capture and analyse SAP DIAG traffic. However practical use of these tools is cumbersome. They do not automatically decompress and/or parse the traffic for you. This is a very manual process. We thought it would be really useful to have a utility that could automagically parse captured traffic and extract useful information such as; source and destination IP addresses as well as the authentication credentials.

Greg Scott, an MWR intern during the summer of 2013, created a Python wrapper script for extracting credentials from SAP GUI and RFC communication captures. The project wasn’t fully completed, and is still very much beta, however it has proved useful on recent engagements and some in the community have expressed an interest in having a copy of the tool.