 | 1 | initial version |
I don't know how efficient this Lua post-dissector solution is or if indeed it's bullet-proof under all possible corner cases, but through much pain, I was able to get some output that seems to be correct using the iec104.pcap file on the Wireshark wiki that @Chuckc linked above for testing.
Using TShark (Wireshark) 4.3.0 (v4.3.0rc0-2286-ga16241b23f3f), here is some sample output when running tshark -r iec104.pcap -Y "iec60870_asdu.typeid == 36" -q:
16) TypeId: 36
IOA: 11
Float: 0.0
CP56Time: Jul 4, 2013 08:23:04.145000000 Eastern Daylight Time
IOA: 12
Float: 0.0
CP56Time: Jul 4, 2013 08:23:04.145000000 Eastern Daylight Time
IOA: 13
Float: 0.0
CP56Time: Jul 4, 2013 08:23:04.145000000 Eastern Daylight Time
IOA: 14
Float: 0.0
CP56Time: Jul 4, 2013 08:23:04.145000000 Eastern Daylight Time
18) TypeId: 36
IOA: 11
Float: 0.0
CP56Time: Jul 4, 2013 08:23:04.145000000 Eastern Daylight Time
IOA: 12
Float: 0.0
CP56Time: Jul 4, 2013 08:23:04.145000000 Eastern Daylight Time
IOA: 13
Float: 0.0
CP56Time: Jul 4, 2013 08:23:04.145000000 Eastern Daylight Time
IOA: 14
Float: 0.0
CP56Time: Jul 4, 2013 08:23:04.145000000 Eastern Daylight Time
88) TypeId: 36
IOA: 12
Float: 9.8699998855591
CP56Time: Jul 4, 2013 08:24:14.307000000 Eastern Daylight Time
Since this site doesn't seem to allow files of type .lua to be uploaded, and I can't find any setting to change to allow it, I renamed the file with a .txt extension instead, so you will have to rename it back to .lua to test it yourself.