Wiresharking IEC: Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 9: Line 9:
Display packets involving TCP port 2404
Display packets involving TCP port 2404
<pre>tcp.port==2404</pre>
<pre>tcp.port==2404</pre>
Inrogen: GI
*Inrogen: GI
Spont: Spontaneous event
*Spont: Spontaneous event  
IOA: Information Object Address
*IOA: Information Object Address
Act: activation message (select/execute)
*Act: activation message (select/execute)
ActCon: activation confirmation
*ActCon: activation confirmation
ActTerm: activation termination
*ActTerm: activation termination


==IEC61850==
==IEC61850==

Revision as of 16:45, 4 March 2015

Some basic filters for analysing wireshark logs in case of IEC protocols

IEC60870-5-104

Filter information object address 401

 104asdu.ioa == 401 

Dispaly packages with TCP length>0 (no ack messages)

tcp.len>0

Display packets involving 192.168.0.111

ip.addr==192.168.0.111

Display packets involving TCP port 2404

tcp.port==2404
  • Inrogen: GI
  • Spont: Spontaneous event
  • IOA: Information Object Address
  • Act: activation message (select/execute)
  • ActCon: activation confirmation
  • ActTerm: activation termination

IEC61850

MMS: Manufacturing Message Specification GOOSE: Generic Object Oriented Substation Events

Filter IEC61850 packets

 mms 

Display packets involving TCP port 102

tcp.port==102

Display messages containing domain ID "VampRelay"

mms.domainId == "VampRelay"

Display messages containing item ID "VI1GGIO137$CO$SPCSO$Oper" (VI1 control command)

mms.itemId == "VI1GGIO137$CO$SPCSO$Oper"

Display messages containing control commands (Service request 5 = write)

mms.confirmedServiceRequest == 5

Dispaly packets containing message "success" (response to command message)

mms.Write_Response_item == 1