This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What should be setting in Wireshark 1.6.3 [Version 1.6.3 (SVN Rev 39702 from /trunk-1.6)] in Decode As, to properly analyze or capture DNP3 communication?

In specific, what selection should be under "Decode As" in right window for each of the tabs: -Link; -Network; -Protocol.

When I tried default selection, it is not decoding any DNP3 traffic

Any suggestion or help is greatly appreciated. Stanko K. [email protected]siemens.com

asked 15 Nov '11, 06:34

StankoK's gravatar image

StankoK
1111
accept rate: 0%

edited 26 Feb '12, 21:19

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142


The DNP3 dissector has a default port of 20000 as per the IANA registration, so any traffic (TCP or UDP) arriving on this port should be dissected. For traffic on other ports, use the "Decode As ..." option and on the Transport tab select the source or destination (or both) ports and "DNP3.0" as the protocol for those ports. You shouldn't need to change anything on the Link or Network tabs.

permanent link

answered 15 Nov '11, 07:08

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks for quick answer, Question is how to force Wireshark to listen port 20000. My colleague in USA is using same Wireshark and his default setting in "Decode As" Tabs are: Link: Ethertype 0x800; Network: IP Protocol 6; Transport: TCP source(20000)....

My Default setting is completely different: Ethertype 0x800; Network: IP Protocol 1; Transport: TCP source(10??).... I was trying many different selection under link, network, transport to match my colleague setting and decode DNP3 but no luck so far?!?!? Also, I have tried: "Decode As": Do Not Decode option but that one give me all raw frames...

Any Suggestion or help is greatly appreciated.

Thx. Stanko

(15 Nov '11, 07:42) StankoK

Errm, have you actually captured any DNP3 traffic? What port is your field device using? Examine the capture with no display filters set and identify the traffic to and from your field device using the IP and port. If the field device is using port 20000 then you have nothing further to do, any DNP3 traffic will be displayed, if its using another port, then right click on a frame containing traffic to/from the field device, select "Decode As ..." and on the transport tab select the port the field device is using.

If you still have issues can you post your capture somewhere, e.g. CloudShark

(16 Nov '11, 02:18) grahamb ♦

DNP3 runs over TCP and UDP; TCP and UDP have IP protocol numbers assigned to them, and probably almost never, or never, use other IP protocol numbers, so there is no need to do anything with the network-layer setting.

TCP and UDP run over IPv4 and IPv6; those protocols have Ethernet type numbers assigned to them, and probably almost never, or never, use different Ethernet type numbers, so there is no need to do anything with the link-layer setting.

The Wireshark DNP dissector registers for TCP and UDP ports 20000 by default, so there's no need to change that, either.

(27 Feb '12, 13:55) Guy Harris ♦♦

The DNP-over-TCP dissector will check whether the TCP segment it's handed has at least 2 bytes of data, equal to 0x05 0x64; if the TCP segments you're capturing don't look like that, they won't be recognized as DNP. I'd have to check if this is a problem for DNP packets that require more than one TCP segment.

(27 Feb '12, 13:57) Guy Harris ♦♦

Wireshark capture traffic DNP3 without any further adjustment, the problem is the version of Wireshark to win 7, to install an earlier version win 7 the problem remains not see traffic DNP3, it has installed the x86 version and not to run into 7. what win I had to do is enable a virtual machine on an x64 processor, run and install winXP commensurate for this operating system version and it worked. In the win XP you can see DNP3 packages without making any adjustments in Wireshark.

(04 Nov '16, 17:37) Marcos Valarezo

No need to post the same comment as an "answer" twice. Please start a new question for your issue.

(04 Nov '16, 17:51) grahamb ♦

Wireshark capture traffic DNP3 without any further adjustment

Wireshark has always been able to capture DNP3 traffic. What matters is whether it recognizes that it's DNP3 traffic, rather than just TCP payload.

the problem is the version of Wireshark to win 7, to install an earlier version win 7 the problem remains not see traffic DNP3, it has installed the x86 version and not to run into 7.

So are you saying that if you run Wireshark on Windows 7, it's not recognizing DNP3 traffic, but if you save a capture file that should contain DNP3 traffic but doesn't show any DNP3 traffic in Wireshark, run the same version of Wireshark, and read that same capture file, on Windows XP, it does recognize DNP3 traffic in that file?

(04 Nov '16, 17:56) Guy Harris ♦♦
showing 5 of 7 show 2 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×16
×6

question asked: 15 Nov '11, 06:34

question was seen: 10,989 times

last updated: 04 Nov '16, 17:56

p​o​w​e​r​e​d by O​S​Q​A