Ask Your Question
0

DNP3 NACK response malformed

asked 2026-02-19 12:58:31 +0000

ChristianD90 gravatar image

updated 2026-02-20 09:09:36 +0000

When decoding a DNP3 link layer NACK response, it is decoded as malformed packet, but frame its ok.

Example link layer frame: 05 64 05 01 01 00 03 00 f2 3a

Is decoded with malformed packet legend.

Is this and decoding issue?

Wireshark 4.6.3 (v4.6.3-0-g648f69f3e168).

Copyright 1998-2026 Gerald Combs [email protected] and contributors. Licensed under the terms of the GNU General Public License (version 2 or later). This is free software; see the file named COPYING in the distribution. There is NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compile-time info: Bit width: 64-bit Compiler: Microsoft Visual Studio 2022 (VC++ 14.44, build 35221) GLib: 2.84.2 With: +automatic updates +nghttp2 1.65.0 +brotli +nghttp3 1.8.0 +Gcrypt 1.11.2-unknown +PCRE2 10.45 2025-02-05 +GnuTLS 3.8.11 and PKCS#11 +Qt 6.9.3 +Kerberos (MIT) +QtMultimedia +libpcap +Snappy 1.1.9 +libsmi 0.5.0 +WinSparkle 0.8.0 +libxml2 2.13.8 +xxhash 0.8.3 +Lua 5.4.6 (UfW patched) +zlib 1.3.1 +LZ4 1.10.0 +zlib-ng 2.2.3 +MaxMind +Zstandard 1.5.7 +Minizip-ng 4.0.9

Runtime info: OS: 64-bit Windows 11 (25H2), build 26200 CPU: Intel(R) Core(TM) Ultra 5 125H (with SSE4.2) Memory: 32265 MB of physical memory GLib: 2.84.2 Locale: LC_TYPE=Spanish_Spain.utf8 Plugins: supported, 0 loaded With: +brotli 1.2.0 +nghttp3 1.8.0 +c-ares 1.34.5 +Npcap 1.83, libpcap 1.10.5 +Gcrypt 1.11.2-unknown +PCRE2 10.45 2025-02-05 +GnuTLS 3.8.11 +Qt 6.9.3 +LZ4 1.10.0 +xxhash 803 +nghttp2 1.65.0 +Zstandard 1.5.7

edit retag flag offensive close merge delete

Comments

Please update the question with output of wireshark -v or tshark -v.

Can you share a sample capture file? If not, please update question with hex dump of full packet.

Chuckc gravatar imageChuckc ( 2026-02-19 17:12:21 +0000 )edit

Full DNP3 over TCP

Rquest:

941042003bfb74da38fdf0ce08004500003ae1f0400080060000c0a8c81fc0a8c864c17a4e20e45853ecf544a6b6501802001202000005640bd303000100eba5c2c3013c01064213

Response:

74da38fdf0ce941042003bfb080045000032c07e400040066872c0a8c864c0a8c81f4e20c17af544a6b6e45853fe501801f6b76900000564050101000300f23a

I'm not able to upload the captured file.

ChristianD90 gravatar imageChristianD90 ( 2026-02-20 09:09:56 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2026-02-19 18:35:01 +0000

Chuckc gravatar image

The spec is ieee. Do you have access to it?

I assume the check below should include NACK but without the spec that's a SWAG.
epan/dissectors/packet-dnp.c:

  /* If the DataLink function is 'Request Link Status' or 'Status of Link',
     or 'Reset Link' we don't expect any Transport or Application Layer Data
     NOTE: This code should probably check what DOES have TR or AL data */
  if ((dl_func != DL_FUNC_LINK_STAT) && (dl_func != DL_FUNC_STAT_LINK) &&
      (dl_func != DL_FUNC_RESET_LINK) && (dl_func != DL_FUNC_ACK)) //-V560 (both codes are the same value but semantically different)
  {

Code goes on to try:

    /* get the transport layer byte */
    tr_ctl = tvb_get_uint8(tvb, offset);

where offset = 10 and length of tvb is 10. Oops. 

Frame 1: Packet, 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface Fake IF, Import from Hex Dump, id 0
Ethernet II, Src: Send_00 (20:53:45:4e:44:00), Dst: Receive_00 (20:52:45:43:56:00)
Internet Protocol Version 4, Src: 10.1.1.1 (10.1.1.1), Dst: 10.2.2.2 (10.2.2.2)
User Datagram Protocol, Src Port: 20000, Dst Port: 0
Distributed Network Protocol 3.0
    Data Link Layer, Len: 5, From: 3, To: 1, NACK
        Start Bytes: 0x0564
        Length: 5
        Control: 0x01 (NACK)
            0... .... = Direction: Not set
            .0.. .... = Primary: Not set
            ...0 .... = Data Flow Control: Not set
            .... 0001 = Control Function Code: NACK (1)
        Destination: 1
        Source: 3
        Data Link Header checksum: 0x3af2 [correct]
        [Data Link Header Checksum Status: Good]
[Malformed Packet: DNP 3.0]

Please open a new issue (https://gitlab.com/wireshark/wireshar...) and attach a capture file and any spec information confirming there is no data on a NACK.

edit flag offensive delete link more

Comments

I can confirm that this is a very long standing dissector bug, probably because no-one uses the CONFIRMED_USER_DATA mode as it eats bandwidth by acknowledging every message at the data link layer.

Needs a small amount of work in the data link layer dissection for the Control byte to check for both a NACK function code and the PRM flag being clear, if so, dissection is complete and there's no need to run off the end and report a malformed dissector.

grahamb gravatar imagegrahamb ( 2026-02-20 12:14:46 +0000 )edit

I've used text2pcap to convert the OP's hex to a pcapng file which is attached.

C:\fakepath\DNP3.pcapng

grahamb gravatar imagegrahamb ( 2026-02-20 12:23:33 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2026-02-19 12:58:31 +0000

Seen: 23 times

Last updated: 1 min ago

Related questions

DLT_USER for DNP3

dnp3 enhancement request

extracting source and destination station addresses?

DNP 3 reassemble fragments while sequence number is resetting to 0

How do I filter/capture/read packets of one protocol embedded in another?

DNP3 - filtering and displaying a specific point number?

There used to be an option to enable heuristic detection for dnp3 packets. It seems to be missing as of 3.4.9. Has it been removed?