This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why can’t Wireshark version 1.2.15 decode DNP3 object 111?

0

I get "Unknown Object - Abort Decoding" for DNP3 object 111. I know the data is correct by looking at the output from my ASE 2000 Communications test set. Most objects are decoded correctly, but some are not.

asked 07 Apr '16, 05:43

DNP3Master's gravatar image

DNP3Master
6112
accept rate: 0%

edited 07 Apr '16, 08:31

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118

It seems to be present in the code,

define AL_OBJ_OCT_EVT     0x6F00   / 110 xx Octet string event /

So without a look at the offeding packet it's hard to tell

(07 Apr '16, 06:13) Jaap ♦

I added that back in 2011 (complete with erroneous comment) so it should be in 1.12.5. I'm fairly certain I've seen dissections of that object.

As @Jaap says, please share the capture with the packet somewhere publicly available.

(07 Apr '16, 06:29) grahamb ♦

Wait, are you asking about version 1.2.15 or 1.12.something?

If you're asking about 1.2.15 then the answer is, based on Graham's comment, because the version you're running is too old.

(07 Apr '16, 07:25) JeffMorriss ♦

Oops, unable to parse the version numbers, my brain couldn't believe someone is still running 1.2.15 (built 1st March 2011).

(07 Apr '16, 07:40) grahamb ♦

1.2.15 (built 1st March 2011).

... which (for DNP3Master's benefit) would not include enhancements (like decoding this object) checked in in 2011 since 1.2 was one of the stable branches at the time.

(07 Apr '16, 07:53) JeffMorriss ♦

Oh, forgot to mention:

Oops, unable to parse the version numbers, my brain couldn't believe someone is still running 1.2.15

That's because you haven't spent the past N years of your life living in RHEL/CentOS 6 (which shipped with 1.2 and has stayed on 1.2--though http://rpms.famillecollet.com/rpmphp/zoom.php?rpm=wireshark seems to indicate that RHEL 6 has actually upgraded to 1.8.

(07 Apr '16, 07:56) JeffMorriss ♦

@JeffMorris

That's because you haven't spent the past N years of your life living in RHEL/CentOS 6

Thankfully. Presumably there's folks planning to continue with the next 2N years of their life on RHEL6.

(07 Apr '16, 08:01) grahamb ♦
showing 5 of 7 show 2 more comments

One Answer:

0

From the comments it becomes clear that the relevant dissection wasn't yet implemented in that old Wireshark version.

answered 07 Apr '16, 14:40

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%