today i tried to log some IEC 60870-5-104 traffic and to read those log and to find some special data traffic, at all i was able to find ASDU1 and ASDU2 but wasnt able to make out IOA1, IOA2, IOA3? Sure i found IOA=123485 (for example) but since IOA value change from 1 to 12 (so it can be 12 - 34 or 12 -3-4), how can i read those values exactly? And what does Addr. mean (its above from IOA)?
Thx for your support
ok i try to explain and logfile is in the attachment, also screenshot from an excel file for one iec adress from one variable. An IEC Adresse for one data point which is transferd from one system to another consists of ASDU1, ASDU2, IOA1, IOA2, IOA3. When i log some IEC Traffic IOA1-IOA3 are important to identify a special variable which i´m searching for. At the moment all i can see is one IOA-Value and i dont know how to "divide" them to get the correct values.![alt text]
Hope i was able to explain.!
Edit2: Logfile added
I don't have access to the -104 spec, only -101 but I believe the ASDU is the same. Without your actual capture which would make things so much easier to explain, I'll do what I can from your screenshot.
The -104 dissector formats up the fields in the packet details pane (the tree) in a somewhat "odd" manner IMHO.
So the ASDU starts with the Type Identifier field (TypeID) at octet 0 which is 36 in your example indicating a measured value of type short floating point with a timestamp.
Next is the number of Information elements at octet 1, displayed as NumIX and is 1 in your example.
Next is the Cause of Transmission (COT) at octet 2 which is comprised of the Cause, displayed as CauseTX, in your example this is 3 indicating spontaneous, the Negative confirm flag, displayed as Negative, which is false and the Test flag, displayed as Test, which is also false. The 3 elements of the COT octet are broken out into 3 lines of display.
After that comes the Originator Address (OA) octet 3, which is 0.
After that comes the Common Address of ASDU. This field is displayed as Addr and is two octets, lsb first and in your example it is decoded as 10516
After that comes the Information Object Address, displayed as IOA and comprising of 3 octets, lsb first. In your example this is decoded as 176843.
The info column for your selected packet oddly shows the Common Address of ASDU as the two octet values, the low byte (20) then the high byte (41), whereas the packet details field shows the address as a 16 bit value 10516 (41 * 256 + 20).
The IOA is shown in both the packet list info column and the packet details as the 24 bit value 176843.
So, to filter on a specific IOA value you must convert your IOA1, IOA2, IOA3 values into the appropriate 24 bit value. To do this substitute the values into this equation: IOA3 * 65536 + IOA2 * 256 + IOA1. Using the values in your jpg (from some config doc?) of IOA1 = 16, IOA2 = 2, IOA3 = 101 gives an IOA value of 6619664. You would then use a display filter of "104asdu.ioa == 6619664".
O.K. so you think the IEC104 dissector does not handle the protocol in a propper way? If so, please file a bug report at bugs.wireshark.org. However: The specs for IEC 60870-5-104 are not freely available, so it might be difficult to find somebody who can fix it. You will see.
Perhaps you can also contact the authors that worked on the dissector and ask them to take a look. You will find some e-mail addresses within the first few lines of the following file:
answered 10 Aug '12, 02:32