extracting source and destination station addresses?

asked 2019-03-23

ltgcc

I'm using wireshark dnp3 to monitor a lan that carries all the DNP3 traffic, approximately 45 remote stations. What I need to do is extract a list of unique station addresses (both source and destination addresses, tho I am only interested in the addresses themselves; who is talking to who is not important) that traverse the field lan between certain times. I know how to collect pcaps for those certain times; I've got that scripted. Is there an easy way to extract station addresses from the pcap into a text file that I can then sort and manipulate.

If it matters my dumpcap collector is running on a debian box, as is my wireshark pcap viewer.


answered 2019-03-23

grahamb

There is a (hidden from the UI) display filter field dnp3.addr that is set for both the source and destination DNP3 addresses, so using that with the -T fields option you can dump out all the DNP3 addresses, e.g.

tshark -r my.pcapng -T fields -e dnp3.addr dnp3

which produces output like this:


This can then be post processed to get the unique addresses in a capture.

that totally solved my problem! you guys are freakin awesome. Thank you for the very prompt reply and resolution.

ltgcc ( 2019-03-23 )

Asked: 2019-03-23

