I'm trying to read a tapped line (using a Tap Aggregator) for the DNP traffic, but it appears to all be embedded in the TCP packets, so the filter isn't showing anything when I filter for dnp3.
How do I borg down another level in Wireshark?
Wireshark will automatically dissect traffic for the appropriate protocol as long as the traffic is running on the expected, or configured, port (for traffic over TCP, UDP) or (for some subset of prootcols) if the type can be heuristically determined by inspecting the traffic.
DNP3 is normally run over port 20000, if your traffic is not using this port, then you can use "Decode As ..." to set DNP3 as the dissector for the port(s) actually in use. There are also DNP3 protocol preferences for TCP and UDP to allow port to be specified.
I've often used a terminal server for DNP3 traffic to a serial device, all works fine for me. Unlike some serial telemetry protocols, DNP3 has no changes when run over TCP (or UDP), so as long as the terminal server isn't encrypting or obfuscating the traffic then it should all work. Note that the port used on the terminal server may not be 20000, so a "Decode As ..." may be required.
Posting a capture on a public share, e.g. Google Drive, DropBox etc. and then posting a link back here would allow us to help. There's not much info to leak about your system in a capture except possible the IP address, if it's publicly routable, which you really shouldn't be doing with plain DNP3.
Asked: 2019-12-18 22:30:36 +0000
Seen: 2,031 times
Last updated: Dec 19 '19
There are dnp3 display filters for sure. Are you talking about filtering during the capture itself?
The dnp3 filter isn't seeing the dnp in the packets. I'm going to look into the port being referenced as per the one answer given.