Ask Your Question
0

Unable to access data in second IOA

asked 2018-10-14 07:53:00 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Dear all I'm using pyshark(python) to process dissected IEC 60870-5-104 packets. I'm able to access first IOA in the captured data but unable to access second/third IOA if NumIx >1. I'm using the following code:

cap=pyshark.LiveCapture(interface='Ethernet',display_filter="104apci and 104asdu");
IOA_Val = ((cap[4].IOA));
print(IOA_VAL)

Layer 4 of Pcap

Layer 104ASDU:
TypeId: M_SP_NA_1 (1)
0... .... = SQ: False
.000 0010 = NumIx: 2
..01 0100 = CauseTx: Inrogen (20)
.0.. .... = Negative: False
0... .... = Test: False
OA: 2
Addr: 1
IOA: 345
IOA: 345
SIQ: 0x00
.... ...0 = SPI: Off
...0 .... = BL: Not blocked
..0. .... = SB: Not Substituted
.0.. .... = NT: Topical
0... .... = IV: Valid
IOA: 57756
IOA: 57756
SIQ: 0x00
.... ...0 = SPI: Off
...0 .... = BL: Not blocked
..0. .... = SB: Not Substituted
.0.. .... = NT: Topical
0... .... = IV: Valid

This works if NumIx=1 but doesn't work if NumIx>1

How to access second IOA in same same packet

In simple words, I'm able to access IOA data of IOA Valu:345 but unable to access IOA data of IOA:57756

Pcap file: https://drive.google.com/open?id=1Z3c...

edit retag flag offensive close merge delete

Comments

Can you upload the capture to a publicly accessible location, e.g. CloudShark, Google Drive, DropBox etc. and then post a link to the capture by amending your question.

grahamb gravatar imagegrahamb ( 2018-10-14 13:42:37 +0000 )edit

I Have shared tthe pcap file

Thinakaran_Gunasekar gravatar imageThinakaran_Gunasekar ( 2018-10-14 14:22:02 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-10-14 17:05:09 +0000

grahamb gravatar image

There seems to be an issue directly accessing the 104asdu element, maybe because its name begins with a number.. Using getattr() fixes that, then noting that the IOA and SIQ elements are of type "LayerField" with a "fields" array. This gives the following (note the capture you provided only had one packet, so I'm using cap[0] to access it):

>>> asdu = getattr(cap[0], "104asdu")
>>> asdu.ioa.fields[0]
<LayerField 104asdu.ioa: 345>
>>> asdu.siq.fields[0]
<LayerField 104asdu.siq: 0x00000000>
>>> asdu.ioa.fields[1]
<LayerField 104asdu.ioa: 57756>
>>> asdu.siq.fields[1]
<LayerField 104asdu.siq: 0x00000000>

pyshark could do with more documentation describing these types. I used a mix of dir() and type() to work this out.

edit flag offensive delete link more

Comments

Thank You It worked perfectly

Thinakaran_Gunasekar gravatar imageThinakaran_Gunasekar ( 2018-10-15 14:35:41 +0000 )edit

How to get only IOA, i.e asdu.ioa.fields[0] returns LayerField 104asdu.ioa: 345 but only 345 is required.

Thinakaran_Gunasekar gravatar imageThinakaran_Gunasekar ( 2018-10-20 11:52:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-10-14 07:53:00 +0000

Seen: 36 times

Last updated: Oct 14