When the packet number is part of the CRC, then you also know the packet number if you are capturing the packet(s).
Isn't this only true if you've been capturing from the beginning of the communication? Maybe you need to convince the partners to re-establish comms, and can then record from there?
The profisafe system description specifically says that the "consecutive number" isn't actually transmitted, and that the PLC/IO each have their own separate counter that runs.
I haven't done this for myself. Recently someone was working on the Profisafe plugin for Wireshark. And it calculates the CRC from the data-part, and compares it with the transferred CRC do show you if there is a mismatch. If it would not be possible to modify such telegrams, there wouldn't be a document which describes that you have setup a separate secure network for Profisafe.
See the attached image, about what protections the Profisafe system description says it has. I don't see any statements in the v2.5 environment document you mention that indicate specific weaknesses. I read it as recommending layered protection, which is a smart security practice regardless.
That said, you clearly have way more protocol dissection experience than I do; all I know about the bits and bytes of profisafe I've read from manuals.
That's interesting. I've reverse engineered this protocol (search for s7comm-plus), it's complete and opensource since end 2014 I think.
Oh my, you're THAT thomas V2. Thank you very much for your work! I've been using the classic plugin for a while.
I've tried downloading the newer plus plugin recently, but it doesn't seem to work with Wireshark V2 (or my PC, whichever). I haven't gone so far as to re-install V1, or try to compile the plugin myself yet. It looks like the most current S7comm-plus download is from early 2015, and is way behind the code in the trunk. Or maybe I have no idea how to use sourceforge. Both are strong possibilities.
I can submit a bug report, if that would help.
For a commercial product, you have to prove that you haven't done the reverse engineering by decompilation or such things. I' guessed that you won't get the keys without doing this. But I only have very basic knowledge in cryptograpy, maybe you can buy such informations from Siemens, if you pay enough....
I know wireless security (WPA2) is based on a mutual exchange of keys, so it is possible something like that is at play here between the two partners.
Regardless, I can't imagine Siemens playing nice with a competitor at that level. WinCC and Wonderware are direct competitors. I'd think they'd be more likely to let their PLCs act as an EIP controller first....
Anything's possible, though, I guess. $$$ does tend to change minds, even German ones.