extracting source and destination station addresses?

asked 2019-03-23 19:00:49 +0000

ltgcc
3 ●2

I'm using wireshark dnp3 to monitor a lan that carries all the DNP3 traffic, approximately 45 remote stations. What I need to do is extract a list of unique station addresses (both source and destination addresses, tho I am only interested in the addresses themselves; who is talking to who is not important) that traverse the field lan between certain times. I know how to collect pcaps for those certain times; I've got that scripted. Is there an easy way to extract station addresses from the pcap into a text file that I can then sort and manipulate.

If it matters my dumpcap collector is running on a debian box, as is my wireshark pcap viewer.

Thanks!

answered 2019-03-23 19:53:29 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

There is a (hidden from the UI) display filter field dnp3.addr that is set for both the source and destination DNP3 addresses, so using that with the -T fields option you can dump out all the DNP3 addresses, e.g.

tshark -r my.pcapng -T fields -e dnp3.addr dnp3

which produces output like this:

This can then be post processed to get the unique addresses in a capture.

edit flag offensive delete link

Comments

that totally solved my problem! you guys are freakin awesome. Thank you for the very prompt reply and resolution.

ltgcc ( 2019-03-23 20:09:09 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

extracting source and destination station addresses?

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

extracting source and destination station addresses? edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

extracting source and destination station addresses?