Ask Your Question

How do I filter/capture/read packets of one protocol embedded in another?

asked 2019-12-18 22:30:36 +0000

Lance-R gravatar image

updated 2019-12-18 23:08:39 +0000

I'm trying to read a tapped line (using a Tap Aggregator) for the DNP traffic, but it appears to all be embedded in the TCP packets, so the filter isn't showing anything when I filter for dnp3.

How do I borg down another level in Wireshark?

edit retag flag offensive close merge delete


There are dnp3 display filters for sure. Are you talking about filtering during the capture itself?

Spooky gravatar imageSpooky ( 2019-12-19 03:11:11 +0000 )edit

The dnp3 filter isn't seeing the dnp in the packets. I'm going to look into the port being referenced as per the one answer given.

Lance-R gravatar imageLance-R ( 2019-12-19 17:30:30 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-12-19 07:33:13 +0000

grahamb gravatar image

Wireshark will automatically dissect traffic for the appropriate protocol as long as the traffic is running on the expected, or configured, port (for traffic over TCP, UDP) or (for some subset of prootcols) if the type can be heuristically determined by inspecting the traffic.

DNP3 is normally run over port 20000, if your traffic is not using this port, then you can use "Decode As ..." to set DNP3 as the dissector for the port(s) actually in use. There are also DNP3 protocol preferences for TCP and UDP to allow port to be specified.

edit flag offensive delete link more


I think the DNP is ultimately using port 20000, but am not sure the terminal server is directly sending DNP packets or hiding them. It will be a while before I can figure it out since I'm on vacation for a few weeks. Thanks.

Lance-R gravatar imageLance-R ( 2019-12-20 22:53:54 +0000 )edit

I've often used a terminal server for DNP3 traffic to a serial device, all works fine for me. Unlike some serial telemetry protocols, DNP3 has no changes when run over TCP (or UDP), so as long as the terminal server isn't encrypting or obfuscating the traffic then it should all work. Note that the port used on the terminal server may not be 20000, so a "Decode As ..." may be required.

Posting a capture on a public share, e.g. Google Drive, DropBox etc. and then posting a link back here would allow us to help. There's not much info to leak about your system in a capture except possible the IP address, if it's publicly routable, which you really shouldn't be doing with plain DNP3.

grahamb gravatar imagegrahamb ( 2019-12-20 23:50:52 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-12-18 22:30:36 +0000

Seen: 1,562 times

Last updated: Dec 19 '19