Wiresharking IEC: Difference between revisions
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
Dispaly packages with TCP length>0 (no ack messages) | Dispaly packages with TCP length>0 (no ack messages) | ||
<pre>tcp.len>0</pre> | <pre>tcp.len>0</pre> | ||
Packets involving 192.168.0.111 | |||
<pre>ip.addr==192.168.0.111</pre> | <pre>ip.addr==192.168.0.111</pre> | ||
TCP port 2404 | |||
<pre>tcp.port==2404</pre> | <pre>tcp.port==2404</pre> | ||
Information object address 401 | |||
<pre> 104asdu.ioa == 401 </pre> | <pre> 104asdu.ioa == 401 </pre> | ||
Spontaneous events (COT==3) | |||
<pre>104asdu.causetx == 3</pre> | <pre>104asdu.causetx == 3</pre> | ||
Command messages (COT 6, 7, 10) | |||
<pre>104asdu.causetx == 6 Activation | <pre>104asdu.causetx == 6 //Activation | ||
104asdu.causetx == 7 Confirmation | 104asdu.causetx == 7 //Confirmation | ||
104asdu.causetx == 10 Termination</pre> | 104asdu.causetx == 10 //Termination</pre> | ||
Testframe messages | |||
<pre>104apci.utype == 0x10 Activation | <pre>104apci.utype == 0x10 //Activation | ||
104apci.utype == 0x20 Confirmation</pre> | 104apci.utype == 0x20 //Confirmation</pre> | ||
S-Type messages | |||
<pre>104apci.type == 0x01</pre> | <pre>104apci.type == 0x01</pre> | ||
General Interrogation commands | |||
<pre>104asdu.typeid == 100 Global, Group1...Group16 | <pre>104asdu.typeid == 100 //Global, Group1...Group16 | ||
104asdu.qoi == 20 Global | 104asdu.qoi == 20 //Global | ||
104asdu.qoi == 21 Group1 | 104asdu.qoi == 21 //Group1 | ||
104asdu.qoi == 35 Group15 | 104asdu.qoi == 35 //Group15 | ||
Do not use Group 16 with Martem devices. This is reserved. | <code>Do not use Group 16 GI with Martem devices. This is reserved.</code> | ||
</pre> | </pre> | ||
Clock syncronisation commands | |||
<pre>104asdu.typeid == 103</pre> | <pre>104asdu.typeid == 103</pre> | ||
Revision as of 17:54, 4 March 2015
Some basic filters for analysing wireshark logs in case of IEC protocols
IEC60870-5-104
Dispaly packages with TCP length>0 (no ack messages)
tcp.len>0
Packets involving 192.168.0.111
ip.addr==192.168.0.111
TCP port 2404
tcp.port==2404
Information object address 401
104asdu.ioa == 401
Spontaneous events (COT==3)
104asdu.causetx == 3
Command messages (COT 6, 7, 10)
104asdu.causetx == 6 //Activation 104asdu.causetx == 7 //Confirmation 104asdu.causetx == 10 //Termination
Testframe messages
104apci.utype == 0x10 //Activation 104apci.utype == 0x20 //Confirmation
S-Type messages
104apci.type == 0x01
General Interrogation commands
104asdu.typeid == 100 //Global, Group1...Group16
104asdu.qoi == 20 //Global
104asdu.qoi == 21 //Group1
104asdu.qoi == 35 //Group15
<code>Do not use Group 16 GI with Martem devices. This is reserved.</code>
Clock syncronisation commands
104asdu.typeid == 103
IEC61850
MMS: Manufacturing Message Specification GOOSE: Generic Object Oriented Substation Events
Filter IEC61850 packets
mms
Display packets involving TCP port 102
tcp.port==102
Display messages containing domain ID "VampRelay"
mms.domainId == "VampRelay"
Display messages containing item ID "VI1GGIO137$CO$SPCSO$Oper" (VI1 control command)
mms.itemId == "VI1GGIO137$CO$SPCSO$Oper"
Display messages containing control commands (Service request 5 = write)
mms.confirmedServiceRequest == 5
Dispaly packets containing message "success" (response to command message)
mms.Write_Response_item == 1