Hi, today i tried to log some IEC 60870-5-104 traffic and to read those log and to find some special data traffic, at all i was able to find ASDU1 and ASDU2 but wasnt able to make out IOA1, IOA2, IOA3? Sure i found IOA=123485 (for example) but since IOA value change from 1 to 12 (so it can be 12 - 34 or 12 -3-4), how can i read those values exactly? And what does Addr. mean (its above from IOA)? Thx for your support Martin Edit: Hi, ok i try to explain and logfile is in the attachment, also screenshot from an excel file for one iec adress from one variable. An IEC Adresse for one data point which is transferd from one system to another consists of ASDU1, ASDU2, IOA1, IOA2, IOA3. When i log some IEC Traffic IOA1-IOA3 are important to identify a special variable which i´m searching for. At the moment all i can see is one IOA-Value and i dont know how to "divide" them to get the correct values.![alt text][1] Hope i was able to explain.! Edit2: Logfile added asked 09 Aug '12, 11:28  Martin7 edited 10 Aug '12, 05:08 |
2 Answers:
I don't have access to the -104 spec, only -101 but I believe the ASDU is the same. Without your actual capture which would make things so much easier to explain, I'll do what I can from your screenshot. The -104 dissector formats up the fields in the packet details pane (the tree) in a somewhat "odd" manner IMHO. So the ASDU starts with the Type Identifier field (TypeID) at octet 0 which is 36 in your example indicating a measured value of type short floating point with a timestamp. Next is the number of Information elements at octet 1, displayed as NumIX and is 1 in your example. Next is the Cause of Transmission (COT) at octet 2 which is comprised of the Cause, displayed as CauseTX, in your example this is 3 indicating spontaneous, the Negative confirm flag, displayed as Negative, which is false and the Test flag, displayed as Test, which is also false. The 3 elements of the COT octet are broken out into 3 lines of display. After that comes the Originator Address (OA) octet 3, which is 0. After that comes the Common Address of ASDU. This field is displayed as Addr and is two octets, lsb first and in your example it is decoded as 10516 After that comes the Information Object Address, displayed as IOA and comprising of 3 octets, lsb first. In your example this is decoded as 176843. The info column for your selected packet oddly shows the Common Address of ASDU as the two octet values, the low byte (20) then the high byte (41), whereas the packet details field shows the address as a 16 bit value 10516 (41 * 256 + 20). The IOA is shown in both the packet list info column and the packet details as the 24 bit value 176843. So, to filter on a specific IOA value you must convert your IOA1, IOA2, IOA3 values into the appropriate 24 bit value. To do this substitute the values into this equation: IOA3 * 65536 + IOA2 * 256 + IOA1. Using the values in your jpg (from some config doc?) of IOA1 = 16, IOA2 = 2, IOA3 = 101 gives an IOA value of 6619664. You would then use a display filter of "104asdu.ioa == 6619664". answered 10 Aug '12, 03:48  grahamb ♦ edited 10 Aug '12, 05:35 Hi, tried to upload the original capture file, but it told me only specific type of file (only jpeg, tif and so on) can be uploaded - is there a way to upload a *.pcap file? (10 Aug '12, 04:46) Martin7 The way "normally" used here is to upload to Cloudshark, but do bear in mind that (currently) captures posted there are public to all and should not contain sensitive information. (10 Aug '12, 05:02) grahamb ♦ Hi, thx for the information, i did the uploaded and posted in the first post. So many thx for your help. (10 Aug '12, 05:09) Martin7 Thanks for the capture. I forgot to mention two things:
(10 Aug '12, 05:14) grahamb ♦ Typo. I've fixed it. (10 Aug '12, 05:34) grahamb ♦ |
O.K. so you think the IEC104 dissector does not handle the protocol in a propper way? If so, please file a bug report at bugs.wireshark.org. However: The specs for IEC 60870-5-104 are not freely available, so it might be difficult to find somebody who can fix it. You will see. Perhaps you can also contact the authors that worked on the dissector and ask them to take a look. You will find some e-mail addresses within the first few lines of the following file:
Regards answered 10 Aug '12, 02:32  Kurt Knochner ♦ It could be but im not sure at the moment, my first try was this post (thought that im just too stupid to get it :) ). Thx for your support, ill try to contact one of those guys. (10 Aug '12, 02:36) Martin7 Please check this bug. It's the initial announcement of the dissector: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2840 (10 Aug '12, 03:00) Kurt Knochner ♦ |
a lot of acronyms. Can you please post a capture file? It would be much easier to follow your explanations/questions.
Hi, ye sry for my bad language, dont got the logfile at here, i will post it tomorrow.
Thx
I did not mean your language, and there is no need to excuse. I just meant the acronyms IOA1, ASDU2, etc.
With a capture file it would be easier to follow what you are seeing (not seeing).