Wiresharking IEC: Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 1: Line 1:
Some basic filters for analysing wireshark logs in case of IEC protocols
Some basic filters for analysing wireshark logs in case of IEC protocols
==IEC60870-5-104==
==IEC60870-5-104==
Filter information object address 401
<pre> 104asdu.ioa == 401 </pre>
Dispaly packages with TCP length>0 (no ack messages)
Dispaly packages with TCP length>0 (no ack messages)
<pre>tcp.len>0</pre>
<pre>tcp.len>0</pre>
Line 9: Line 7:
Display packets involving TCP port 2404
Display packets involving TCP port 2404
<pre>tcp.port==2404</pre>
<pre>tcp.port==2404</pre>
Filter information object address 401
<pre> 104asdu.ioa == 401 </pre>
Show spontaneous events (COT==3)
Show spontaneous events (COT==3)
<pre>104asdu.causetx == 3</pre>
<pre>104asdu.causetx == 3</pre>
Show packets containing activation, activation confirmation and activation termination messages (COT 6, 7, 10)
Show packets containing activation, activation confirmation and activation termination messages (COT 6, 7, 10)
<pre>104asdu.causetx == 6 || 104asdu.causetx == 7 || 104asdu.causetx == 10</pre>
<pre>104asdu.causetx == 6 || 104asdu.causetx == 7 || 104asdu.causetx == 10</pre>
 
Show packets containing Testframe activation, Testframe confirmation
<pre>104apci.utype == 0x10 || 104apci.utype == 0x20</pre>
Show General Interrogation activation, confirmation, termination (Global and Group1...16)
<pre>104asdu.typeid == 100  Global, Group1...Group16
104asdu.qoi == 20    Global
104asdu.qoi == 21    Group1
104asdu.qoi == 35    Group15
                    Do not use Group 16 with Martem devices. This is reserved.
</pre>


*Inrogen: GI (COT 20...36 )
*Inrogen: GI (COT 20...36 )

Revision as of 17:33, 4 March 2015

Some basic filters for analysing wireshark logs in case of IEC protocols

IEC60870-5-104

Dispaly packages with TCP length>0 (no ack messages)

tcp.len>0

Display packets involving 192.168.0.111

ip.addr==192.168.0.111

Display packets involving TCP port 2404

tcp.port==2404

Filter information object address 401

 104asdu.ioa == 401 

Show spontaneous events (COT==3)

104asdu.causetx == 3

Show packets containing activation, activation confirmation and activation termination messages (COT 6, 7, 10)

104asdu.causetx == 6 || 104asdu.causetx == 7 || 104asdu.causetx == 10

Show packets containing Testframe activation, Testframe confirmation

104apci.utype == 0x10 || 104apci.utype == 0x20

Show General Interrogation activation, confirmation, termination (Global and Group1...16)

104asdu.typeid == 100   Global, Group1...Group16
104asdu.qoi == 20    Global
104asdu.qoi == 21    Group1
104asdu.qoi == 35    Group15
                     Do not use Group 16 with Martem devices. This is reserved.
  • Inrogen: GI (COT 20...36 )
  • Spont: Spontaneous event (COT 3)
  • IOA: Information Object Address
  • Act: activation message (select/execute) (COT 6)
  • ActCon: activation confirmation (COT 7)
  • ActTerm: activation termination (COT 10)

IEC61850

MMS: Manufacturing Message Specification GOOSE: Generic Object Oriented Substation Events

Filter IEC61850 packets

 mms 

Display packets involving TCP port 102

tcp.port==102

Display messages containing domain ID "VampRelay"

mms.domainId == "VampRelay"

Display messages containing item ID "VI1GGIO137$CO$SPCSO$Oper" (VI1 control command)

mms.itemId == "VI1GGIO137$CO$SPCSO$Oper"

Display messages containing control commands (Service request 5 = write)

mms.confirmedServiceRequest == 5

Dispaly packets containing message "success" (response to command message)

mms.Write_Response_item == 1