Ask Your Question

extracting source and destination station addresses?

asked 2019-03-23 19:00:49 +0000

ltgcc gravatar image

I'm using wireshark dnp3 to monitor a lan that carries all the DNP3 traffic, approximately 45 remote stations. What I need to do is extract a list of unique station addresses (both source and destination addresses, tho I am only interested in the addresses themselves; who is talking to who is not important) that traverse the field lan between certain times. I know how to collect pcaps for those certain times; I've got that scripted. Is there an easy way to extract station addresses from the pcap into a text file that I can then sort and manipulate.

If it matters my dumpcap collector is running on a debian box, as is my wireshark pcap viewer.


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-03-23 19:53:29 +0000

grahamb gravatar image

There is a (hidden from the UI) display filter field dnp3.addr that is set for both the source and destination DNP3 addresses, so using that with the -T fields option you can dump out all the DNP3 addresses, e.g.

tshark -r my.pcapng -T fields -e dnp3.addr dnp3

which produces output like this:


This can then be post processed to get the unique addresses in a capture.

edit flag offensive delete link more


that totally solved my problem! you guys are freakin awesome. Thank you for the very prompt reply and resolution.

ltgcc gravatar imageltgcc ( 2019-03-23 20:09:09 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-03-23 19:00:49 +0000

Seen: 433 times

Last updated: Mar 23 '19