Ask Your Question
0

how does time filter at IEC104 look like?

asked 2024-11-30 07:51:36 +0000

Vitaliy gravatar image

updated 2024-11-30 13:54:25 +0000

Chuckc gravatar image

Hello I'd like to filter all packets with old timestamps
something like

iec60870_asdu.cp56time < now()-1d

or

(iec60870_asdu.cp56time < "2024.12.1 12:34") && (iec60870_asdu.cp56time > "2024.12.1 12:30")

or a have to fullfill structure iec60870_asdu.cp56time.day ... year

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-11-30 15:26:13 +0000

Chuckc gravatar image

updated 2024-11-30 15:30:34 +0000 

{ &hf_cp56time,
{ "CP56Time", "iec60870_asdu.cp56time", FT_ABSOLUTE_TIME, ABSOLUTE_TIME_LOCAL, NULL, 0,
            NULL, HFILL }},

See wsutil/nstime.c#L304 comments on "ISO 8601". Time string format defined in rfc3339.

For sample capture IEC104_All.pcap attached to issue 8849: Buggy IEC104 dissector caused by commit r48958:

iec60870_asdu.cp56time > "2013-07-04T08:23" && iec60870_asdu.cp56time < "2013-07-04T08:24"

The filter in the question could be written as:
(iec60870_asdu.cp56time < "2024-12-01T12:34") && (iec60870_asdu.cp56time > "2024-12-01T12:30")

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2024-11-30 07:51:36 +0000

Seen: 36 times

Last updated: Nov 30