I am looking for IEC 60870-5 101 and/or 104 plugin (dll) for windows 64 bit machine. Where can I download? asked 14 Mar '17, 10:15  ABK |
One Answer:
-104 is a built-in dissector. There is no dissector for -101 as that is normally run over a serial connection, i.e. RS-232 and as such Wireshark doesn't normally include dissectors for such protocols. A Google search though found an external project that provides a serial to pcap utility here and a -101 dissector in Lua here. answered 14 Mar '17, 10:34  grahamb ♦ edited 14 Mar '17, 10:39 |
Thanks for the quick answer. For some reason it does not parse my IEC 104 pcap file (it parses up to the TCP layer only - then it shows the rest as data). I don't see the IEC dissector at the plugin directory. Should it be there? How does it called? From which Wireshark version? Many thanks in advance for the help.
You can confirm the dissector is present and enabled by going to the menu item Analyze -> Enabled Protocols and in the dialog ensure that 104apci and 104asdu are both checked.
Is your traffic on port 2404, as that's the default port for the dissector?
If not then right click a packet in the conversation and choose "Decode As ..." and in the resulting dialog choose "104apci" as the protocol.
You can also set the port in the protocol preferences, again it's named "104apci".