Wiresharking IEC: Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
(Uus lehekülg: 'Some basic filters for analysing wireshark logs in case of IEC protocols ==IEC60870-5-104== Filter information object address 401 <pre> 104asdu.ioa == 401 </pre> Dispaly packages...')
 
No edit summary
Line 5: Line 5:
Dispaly packages with TCP length>0 (no ack messages)
Dispaly packages with TCP length>0 (no ack messages)
<pre>tcp.len>0</pre>
<pre>tcp.len>0</pre>
 
Display packets involving 192.168.0.111
 
<pre>ip.addr==192.168.0.111</pre>
Display packets involving TCP port 2404
<pre>tcp.port==2404</pre>
Inrogen: GI
Inrogen: GI
Spont: Spontaneous event
Spont: Spontaneous event
Line 13: Line 15:
ActCon: activation confirmation
ActCon: activation confirmation
ActTerm: activation termination
ActTerm: activation termination
==IEC61850==
MMS: Manufacturing Message Specification
GOOSE: Generic Object Oriented Substation Events
Filter IEC61850 packets
<pre> mms </pre>
Display packets involving TCP port 102
<pre>tcp.port==102</pre>
Display messages containing domain ID "VampRelay"
<pre>mms.domainId == "VampRelay"</pre>
Display messages containing item ID "VI1GGIO137$CO$SPCSO$Oper" (VI1 control command)
<pre>mms.itemId == "VI1GGIO137$CO$SPCSO$Oper"</pre>

Revision as of 13:05, 4 March 2015

Some basic filters for analysing wireshark logs in case of IEC protocols

IEC60870-5-104

Filter information object address 401 

 104asdu.ioa == 401

Dispaly packages with TCP length>0 (no ack messages) 

tcp.len>0

Display packets involving 192.168.0.111 

ip.addr==192.168.0.111

Display packets involving TCP port 2404 

tcp.port==2404

Inrogen: GI Spont: Spontaneous event IOA: Information Object Address Act: activation message (select/execute) ActCon: activation confirmation ActTerm: activation termination

IEC61850

MMS: Manufacturing Message Specification GOOSE: Generic Object Oriented Substation Events

Filter IEC61850 packets 

 mms

Display packets involving TCP port 102 

tcp.port==102

Display messages containing domain ID "VampRelay" 

mms.domainId == "VampRelay"

Display messages containing item ID "VI1GGIO137$CO$SPCSO$Oper" (VI1 control command) 

mms.itemId == "VI1GGIO137$CO$SPCSO$Oper"
Retrieved from "https://phobos.martem.ee/w/index.php?title=Wiresharking_IEC&oldid=1743"