First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How can I reassemble OPC data PDUs in wireshark? am

  • retag add tags

I am trying to analyze flows between an OPC server and a Pi Interface server to see where a specific tag may be getting dropped on the network (or to prove that it isn't), but the OPC data is riding over TCP packets and split between several packets. I have turned on TCP reassembly, but there is no option under OPC to reassemble the PDUs.

mlshepherd1's avatar
1
mlshepherd1
asked 2020-10-06 22:24:18 +0000
edit flag offensive 0 remove flag close merge delete

Comments

There are two pcaps attached to this issue - #8068 Chunking support for OPCUA
They are using ports 4842 and 4845 for OpcUa.
Can you look at one or both to see if the results are different than what you see in your capture?

Chuckc's avatar Chuckc (2020-10-06 22:45:57 +0000) edit
more
  • delete

Wireshark version? And I assume this is indeed OPC UA and not OPC Classic?

grahamb's avatar grahamb (2020-10-07 07:41:58 +0000) edit
more
  • delete

This is the first time I have had to work with OPC data so I was not familiar with the different versions. When I saw the OPC UA protocol options, I just assumed that was it. However, after doing a bit more research, this system is actually using OPC Classic and it appears the data is using the DCERPC protocol. Any ideas how to read this data in wireshark? There are also a lot of frames with the error stating malformed packet: length of contained item exceeds the length of containing item.

mlshepherd1's avatar mlshepherd1 (2020-10-07 15:05:33 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Dissecting OPC Classic, which as the OP has noted is based on DCERPC, is very difficult.

I would instead use something like the Matrikon OPC Sniffer that sits between the client and the server and dumps out logs of the OPC traffic that can be examined.

grahamb's avatar
23.8k
grahamb
answered 2020-10-07 15:56:15 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer