Wiresharking IEC: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
Some basic filters for analysing wireshark logs in case of IEC protocols | Some basic filters for analysing wireshark logs in case of IEC protocols | ||
==IEC60870-5-104== | ==IEC60870-5-104== | ||
Dispaly packages with TCP length>0 (no ack messages) | Dispaly packages with TCP length>0 (no ack messages) | ||
<pre>tcp.len>0</pre> | <pre>tcp.len>0</pre> | ||
| Line 9: | Line 7: | ||
Display packets involving TCP port 2404 | Display packets involving TCP port 2404 | ||
<pre>tcp.port==2404</pre> | <pre>tcp.port==2404</pre> | ||
Filter information object address 401 | |||
<pre> 104asdu.ioa == 401 </pre> | |||
Show spontaneous events (COT==3) | Show spontaneous events (COT==3) | ||
<pre>104asdu.causetx == 3</pre> | <pre>104asdu.causetx == 3</pre> | ||
Show packets containing activation, activation confirmation and activation termination messages (COT 6, 7, 10) | Show packets containing activation, activation confirmation and activation termination messages (COT 6, 7, 10) | ||
<pre>104asdu.causetx == 6 || 104asdu.causetx == 7 || 104asdu.causetx == 10</pre> | <pre>104asdu.causetx == 6 || 104asdu.causetx == 7 || 104asdu.causetx == 10</pre> | ||
Show packets containing Testframe activation, Testframe confirmation | |||
<pre>104apci.utype == 0x10 || 104apci.utype == 0x20</pre> | |||
Show General Interrogation activation, confirmation, termination (Global and Group1...16) | |||
<pre>104asdu.typeid == 100 Global, Group1...Group16 | |||
104asdu.qoi == 20 Global | |||
104asdu.qoi == 21 Group1 | |||
104asdu.qoi == 35 Group15 | |||
Do not use Group 16 with Martem devices. This is reserved. | |||
</pre> | |||
*Inrogen: GI (COT 20...36 ) | *Inrogen: GI (COT 20...36 ) | ||
Revision as of 17:33, 4 March 2015
Some basic filters for analysing wireshark logs in case of IEC protocols
IEC60870-5-104
Dispaly packages with TCP length>0 (no ack messages)
tcp.len>0
Display packets involving 192.168.0.111
ip.addr==192.168.0.111
Display packets involving TCP port 2404
tcp.port==2404
Filter information object address 401
104asdu.ioa == 401
Show spontaneous events (COT==3)
104asdu.causetx == 3
Show packets containing activation, activation confirmation and activation termination messages (COT 6, 7, 10)
104asdu.causetx == 6 || 104asdu.causetx == 7 || 104asdu.causetx == 10
Show packets containing Testframe activation, Testframe confirmation
104apci.utype == 0x10 || 104apci.utype == 0x20
Show General Interrogation activation, confirmation, termination (Global and Group1...16)
104asdu.typeid == 100 Global, Group1...Group16
104asdu.qoi == 20 Global
104asdu.qoi == 21 Group1
104asdu.qoi == 35 Group15
Do not use Group 16 with Martem devices. This is reserved.
- Inrogen: GI (COT 20...36 )
- Spont: Spontaneous event (COT 3)
- IOA: Information Object Address
- Act: activation message (select/execute) (COT 6)
- ActCon: activation confirmation (COT 7)
- ActTerm: activation termination (COT 10)
IEC61850
MMS: Manufacturing Message Specification GOOSE: Generic Object Oriented Substation Events
Filter IEC61850 packets
mms
Display packets involving TCP port 102
tcp.port==102
Display messages containing domain ID "VampRelay"
mms.domainId == "VampRelay"
Display messages containing item ID "VI1GGIO137$CO$SPCSO$Oper" (VI1 control command)
mms.itemId == "VI1GGIO137$CO$SPCSO$Oper"
Display messages containing control commands (Service request 5 = write)
mms.confirmedServiceRequest == 5
Dispaly packets containing message "success" (response to command message)
mms.Write_Response_item == 1