Wiresharking IEC: Difference between revisions

From Phobos Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 3: Line 3:
Dispaly packages with TCP length>0 (no ack messages)
Dispaly packages with TCP length>0 (no ack messages)
<pre>tcp.len>0</pre>
<pre>tcp.len>0</pre>
Display packets involving 192.168.0.111
Packets involving 192.168.0.111
<pre>ip.addr==192.168.0.111</pre>
<pre>ip.addr==192.168.0.111</pre>
Display packets involving TCP port 2404
TCP port 2404
<pre>tcp.port==2404</pre>
<pre>tcp.port==2404</pre>
Filter information object address 401
Information object address 401
<pre> 104asdu.ioa == 401 </pre>
<pre> 104asdu.ioa == 401 </pre>
Show spontaneous events (COT==3)
Spontaneous events (COT==3)
<pre>104asdu.causetx == 3</pre>
<pre>104asdu.causetx == 3</pre>
Show packets containing command messages (COT 6, 7, 10)
Command messages (COT 6, 7, 10)
<pre>104asdu.causetx == 6  Activation
<pre>104asdu.causetx == 6  //Activation
104asdu.causetx == 7  Confirmation
104asdu.causetx == 7  //Confirmation
104asdu.causetx == 10  Termination</pre>
104asdu.causetx == 10  //Termination</pre>
Show packets containing Testframe messages
Testframe messages
<pre>104apci.utype == 0x10  Activation
<pre>104apci.utype == 0x10  //Activation
104apci.utype == 0x20  Confirmation</pre>
104apci.utype == 0x20  //Confirmation</pre>
Show S-Type messages
S-Type messages
<pre>104apci.type == 0x01</pre>
<pre>104apci.type == 0x01</pre>
Show General Interrogation commands
General Interrogation commands
<pre>104asdu.typeid == 100  Global, Group1...Group16
<pre>104asdu.typeid == 100  //Global, Group1...Group16
104asdu.qoi == 20      Global
104asdu.qoi == 20      //Global
104asdu.qoi == 21      Group1
104asdu.qoi == 21      //Group1
104asdu.qoi == 35      Group15
104asdu.qoi == 35      //Group15
                         Do not use Group 16 with Martem devices. This is reserved.
                         <code>Do not use Group 16 GI with Martem devices. This is reserved.</code>
</pre>  
</pre>  
Show clock syncronisation commands
Clock syncronisation commands
<pre>104asdu.typeid == 103</pre>  
<pre>104asdu.typeid == 103</pre>  


Revision as of 17:54, 4 March 2015

Some basic filters for analysing wireshark logs in case of IEC protocols

IEC60870-5-104

Dispaly packages with TCP length>0 (no ack messages) 

tcp.len>0

Packets involving 192.168.0.111 

ip.addr==192.168.0.111

TCP port 2404 

tcp.port==2404

Information object address 401 

 104asdu.ioa == 401

Spontaneous events (COT==3) 

104asdu.causetx == 3

Command messages (COT 6, 7, 10) 

104asdu.causetx == 6  //Activation
104asdu.causetx == 7   //Confirmation
104asdu.causetx == 10   //Termination

Testframe messages 

104apci.utype == 0x10   //Activation
104apci.utype == 0x20   //Confirmation

S-Type messages 

104apci.type == 0x01

General Interrogation commands 

104asdu.typeid == 100   //Global, Group1...Group16
104asdu.qoi == 20       //Global
104asdu.qoi == 21       //Group1
104asdu.qoi == 35       //Group15
                        <code>Do not use Group 16 GI with Martem devices. This is reserved.</code>

Clock syncronisation commands 

104asdu.typeid == 103

IEC61850

MMS: Manufacturing Message Specification GOOSE: Generic Object Oriented Substation Events

Filter IEC61850 packets 

 mms

Display packets involving TCP port 102 

tcp.port==102

Display messages containing domain ID "VampRelay" 

mms.domainId == "VampRelay"

Display messages containing item ID "VI1GGIO137$CO$SPCSO$Oper" (VI1 control command) 

mms.itemId == "VI1GGIO137$CO$SPCSO$Oper"

Display messages containing control commands (Service request 5 = write) 

mms.confirmedServiceRequest == 5

Dispaly packets containing message "success" (response to command message) 

mms.Write_Response_item == 1
Retrieved from "https://phobos.martem.ee/w/index.php?title=Wiresharking_IEC&oldid=1755"