iec104 io overview

asked 2024-11-08 04:18:01 +0000

allanrochaa gravatar image

updated 2024-11-08 04:18:54 +0000

how can I count how many times every IEC104 digital point was sent from an RTU to its master? I mean, is there a tool that sumarize general io points inside an iec104 pcap?

edit retag flag offensive close merge delete

Comments

There are a couple IEC 60870-5-104 sample captures on the wiki.
Are these the protocol you are working with and if so, which fields (Wireshark dfref: iec60870_104)are you interested in?
(Edit: the rest of the fields - iec60870_asdu)

Chuckc gravatar imageChuckc ( 2024-11-08 15:18:43 +0000 )edit

I mean every single digital point. For example iec60870_asdu.ioa == 2348. Or iec60870_asdu.ioa in {1..550}. Please Keep in mind that I may have hundreds of IO points and would like to count how many of each actually appear on the pcap. How many of each happen in an invalid state? And so on... Thanks for your answer.

allanrochaa gravatar imageallanrochaa ( 2024-11-08 15:40:26 +0000 )edit

epan/dissectors/packet-iec104.c:

/* ASDU types (TypeId) */
#define M_SP_NA_1  1    /* single-point information                     */
#define M_SP_TA_1  2    /* single-point information with time tag       */
...

Which iec60870_asdu.typeid types?

Chuckc gravatar imageChuckc ( 2024-11-08 15:54:41 +0000 )edit

This could be done with a combination of MATE to extract the ioa values for only pdus of a certain typeid:

Pdu asdu_pdu Proto iec60870_asdu Transport tcp/ip {
    Extract typeid From iec60870_asdu.typeid;
    Extract ioa From iec60870_asdu.ioa;

    Criteria Accept Every (typeid="1");
};

And a lua plugin to count the occurrences:

3:  2
2:  3
1:  2
4:  2

It can be cleaned up (results sorted) and perhaps (maybe) be done in just a lua script without MATE.

Chuckc gravatar imageChuckc ( 2024-11-08 22:34:25 +0000 )edit
add a comment