DNP3 NACK response malformed

dnp3

asked 2026-02-19 12:58:31 +0000

ChristianD90
1 ●1 ●1

updated 2026-02-20 09:09:36 +0000

When decoding a DNP3 link layer NACK response, it is decoded as malformed packet, but frame its ok.

Example link layer frame: 05 64 05 01 01 00 03 00 f2 3a

Is decoded with malformed packet legend.

Is this and decoding issue?

Wireshark 4.6.3 (v4.6.3-0-g648f69f3e168).

Copyright 1998-2026 Gerald Combs [email protected] and contributors. Licensed under the terms of the GNU General Public License (version 2 or later). This is free software; see the file named COPYING in the distribution. There is NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compile-time info: Bit width: 64-bit Compiler: Microsoft Visual Studio 2022 (VC++ 14.44, build 35221) GLib: 2.84.2 With: +automatic updates +nghttp2 1.65.0 +brotli +nghttp3 1.8.0 +Gcrypt 1.11.2-unknown +PCRE2 10.45 2025-02-05 +GnuTLS 3.8.11 and PKCS#11 +Qt 6.9.3 +Kerberos (MIT) +QtMultimedia +libpcap +Snappy 1.1.9 +libsmi 0.5.0 +WinSparkle 0.8.0 +libxml2 2.13.8 +xxhash 0.8.3 +Lua 5.4.6 (UfW patched) +zlib 1.3.1 +LZ4 1.10.0 +zlib-ng 2.2.3 +MaxMind +Zstandard 1.5.7 +Minizip-ng 4.0.9

Runtime info: OS: 64-bit Windows 11 (25H2), build 26200 CPU: Intel(R) Core(TM) Ultra 5 125H (with SSE4.2) Memory: 32265 MB of physical memory GLib: 2.84.2 Locale: LC_TYPE=Spanish_Spain.utf8 Plugins: supported, 0 loaded With: +brotli 1.2.0 +nghttp3 1.8.0 +c-ares 1.34.5 +Npcap 1.83, libpcap 1.10.5 +Gcrypt 1.11.2-unknown +PCRE2 10.45 2025-02-05 +GnuTLS 3.8.11 +Qt 6.9.3 +LZ4 1.10.0 +xxhash 803 +nghttp2 1.65.0 +Zstandard 1.5.7

edit retag flag offensive close merge delete

Comments

Please update the question with output of wireshark -v or tshark -v.

Can you share a sample capture file? If not, please update question with hex dump of full packet.

Chuckc ( 2026-02-19 17:12:21 +0000 )edit

Full DNP3 over TCP

Rquest:

941042003bfb74da38fdf0ce08004500003ae1f0400080060000c0a8c81fc0a8c864c17a4e20e45853ecf544a6b6501802001202000005640bd303000100eba5c2c3013c01064213

Response:

74da38fdf0ce941042003bfb080045000032c07e400040066872c0a8c864c0a8c81f4e20c17af544a6b6e45853fe501801f6b76900000564050101000300f23a

I'm not able to upload the captured file.

ChristianD90 ( 2026-02-20 09:09:56 +0000 )edit

add a comment

/* If the DataLink function is 'Request Link Status' or 'Status of Link', or 'Reset Link' we don't expect any Transport or Application Layer Data NOTE: This code should probably check what DOES have TR or AL data */ if ((dl_func != DL_FUNC_LINK_STAT) && (dl_func != DL_FUNC_STAT_LINK) && (dl_func != DL_FUNC_RESET_LINK) && (dl_func != DL_FUNC_ACK)) //-V560 (both codes are the same value but semantically different) {

Frame 1: Packet, 60 bytes on wire (480 bits), 60 bytes captured (480 bits) on interface Fake IF, Import from Hex Dump, id 0 Ethernet II, Src: Send_00 (20:53:45:4e:44:00), Dst: Receive_00 (20:52:45:43:56:00) Internet Protocol Version 4, Src: 10.1.1.1 (10.1.1.1), Dst: 10.2.2.2 (10.2.2.2) User Datagram Protocol, Src Port: 20000, Dst Port: 0 Distributed Network Protocol 3.0 Data Link Layer, Len: 5, From: 3, To: 1, NACK Start Bytes: 0x0564 Length: 5 Control: 0x01 (NACK) 0... .... = Direction: Not set .0.. .... = Primary: Not set ...0 .... = Data Flow Control: Not set .... 0001 = Control Function Code: NACK (1) Destination: 1 Source: 3 Data Link Header checksum: 0x3af2 [correct] [Data Link Header Checksum Status: Good] [Malformed Packet: DNP 3.0]

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

DNP3 NACK response malformed

Comments

1 Answer

Your Answer

Question Tools

Stats

Related questions

DNP3 NACK response malformed edit

Comments

1 Answer

Your Answer

Question Tools

Stats

Related questions

DNP3 NACK response malformed