Analyzing encrypted OPC UA traffic with Wireshark

Unified Automation updates Wireshark OpcUaBinary dissector with extension that allows analyzing encrypted OPC UA messages.

The first Wireshark dissector for OPC Unified Architecture (OPC UA) messages using the OpcUa Binary Protocol was developed by ascolab GmbH in 2009 and integrated into Wireshark version 1.2.1. This initial dissector allowed users to analyze OPC UA request and response messages and provided Wireshark with capture filtering capabilities for diagnostics and troubleshooting. However, when using secure OPC UA endpoints, the UA messages are encrypted according to the chosen OPC UA SecurityPolicy. As a result, the recorded traffic appeared as unintelligible data—intended by encryption—rendering it unreadable for troubleshooting.

Gerhard Gappmeier, Lead Software Architect at Unified Automation, who developed the original dissector, has now extended it with decryption capabilities. Similar to how Wireshark handles encrypted traffic such as HTTPS, the updated OPC UA dissector allows users to add the symmetric keys to the recording, enabling decryption of the messages. After incorporating the symmetric key files, what initially appears as garbled traffic is transformed into readable, clear messages. This feature was integrated into Wireshark in version 4.4, which is now available in the latest release.

Unified Automation's OPC UA Server and Client SDKs allow, with appropriate privileges, the storage of symmetric keys in a file. When capturing encrypted OPC UA traffic, these key files can be added to the pcap recording, or stored separately for later use.

This new feature enables on-site troubleshooting during live production without the need to reduce or disable security measures. It represents a significant milestone in achieving "secure-by-default" OPC UA connectivity, helping to avoid common pitfalls, resolve cross-vendor interoperability issues, and boost confidence in the security of OPC UA communication protocols.

Video how to use new OPC UA Dissector can be found here: Youtube-Analyzing encrypted OPC UA traffic

Tutorial for building Wireshark from source, can be found here:  Youtube-Building Wireshark from source