Wiresharking IEC

From Phobos Wiki
Revision as of 17:51, 4 March 2015 by Alfred (talk | contribs)
Jump to navigation Jump to search

Some basic filters for analysing wireshark logs in case of IEC protocols

IEC60870-5-104

Dispaly packages with TCP length>0 (no ack messages)

tcp.len>0

Display packets involving 192.168.0.111

ip.addr==192.168.0.111

Display packets involving TCP port 2404

tcp.port==2404

Filter information object address 401

 104asdu.ioa == 401 

Show spontaneous events (COT==3)

104asdu.causetx == 3

Show packets containing command messages (COT 6, 7, 10)

104asdu.causetx == 6  Activation
104asdu.causetx == 7   Confirmation
104asdu.causetx == 10   Termination

Show packets containing Testframe messages

104apci.utype == 0x10   Activation
104apci.utype == 0x20   Confirmation

Show S-Type messages

104apci.type == 0x01

Show General Interrogation commands

104asdu.typeid == 100   Global, Group1...Group16
104asdu.qoi == 20       Global
104asdu.qoi == 21       Group1
104asdu.qoi == 35       Group15
                        Do not use Group 16 with Martem devices. This is reserved.

Show clock syncronisation commands

104asdu.typeid == 103

IEC61850

MMS: Manufacturing Message Specification GOOSE: Generic Object Oriented Substation Events

Filter IEC61850 packets

 mms 

Display packets involving TCP port 102

tcp.port==102

Display messages containing domain ID "VampRelay"

mms.domainId == "VampRelay"

Display messages containing item ID "VI1GGIO137$CO$SPCSO$Oper" (VI1 control command)

mms.itemId == "VI1GGIO137$CO$SPCSO$Oper"

Display messages containing control commands (Service request 5 = write)

mms.confirmedServiceRequest == 5

Dispaly packets containing message "success" (response to command message)

mms.Write_Response_item == 1