This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DNP3 as default decoding?

0

From question:

https://ask.wireshark.org/questions/7439/dnp3-decode-as-setting-in-wireshark-163?

The port 20000 spec for DNP3 is mostly observed in the breach (as in, like, never. Even, or especially, with vendors that should know better).

How do I set wireshark up to look for the 0564 that's at the beginning of a DNP3 communication, and then decode that transmission as DNP3 by default, no matter what ports it's talking to?

If that's not doable, then how do I configure IP addresses that any TCP communications to/from will be decoded as DNP3?

And, barring that...we are lucky in that all our DNP3 comm is on it's own physical network. So all TCP on that LAN is DNP. Can I leverage that to make life easier?

thanks!

asked 19 Oct '15, 17:35

jeauxbleaux's gravatar image

jeauxbleaux
6112
accept rate: 0%


One Answer:

0

Some time ago I added a DNP3 option to heuristically dissect data, you can find it in the DNP 3.0 Protocol options (Edit -> Preferences -> Protocols).

The caveat on that option working correctly is that the data segments must contain the complete data link header, i.e. 10 bytes.

Give the above caveat, enabling that option, and possibly the TCP & UDP option "Try heuristic sub-dissectors first", should allow all DNP3 traffic to be dissected regardless of the port.

If you have a capture of DNP 3.0 traffic where that doesn't work I'd like to see at least a few frames of that to try to fix the issue.

answered 20 Oct '15, 10:57

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Wireshark capture traffic DNP3 without any further adjustment, the problem is the version of Wireshark to win 7, to install an earlier version win 7 the problem remains not see traffic DNP3, it has installed the x86 version and not to run into 7. what win I had to do is enable a virtual machine on an x64 processor, run and install winXP commensurate for this operating system version and it worked. In the win XP you can see DNP3 packages without making any adjustments in Wireshark.

(04 Nov '16, 17:36) Marcos Valarezo

I capture DNP3 most days on Win 7 and 10 without issue. The OS used should not affect DNP3 (or any other protocols) ,but other software installed on the system, e.g. VPN, Endpoint Protection etc. can affect captures.

When using Win 7, can you capture the traffic on the expected port at all, regardless of whether it's dissected as DNP3?

What version of Wireshark are you using on both systems?

(04 Nov '16, 17:50) grahamb ♦