Wireshark displays DNP3 traffic as serial

  • retag add tags

I am not familiar with wireshark, but I am attempting to utilize it to look at some DNP3 traffic between a SEL RTAC 3530 and a QEI RTU. I have a comm capture of the two units communicating. The dissector appears to be SEL protocol serial by default, but I am trying to read it as DNP 3.0.

adam.freeman's avatar
1
adam.freeman
asked 2021-12-08 21:59:41 +0000
edit flag offensive 0 remove flag close merge delete

Comments

DNP3 originated as a serial protocol but also runs over TCP and UDP and there are no differences in the protocol over any of the transports. Capturing serial traffic is more difficult, but is often accomplished by forcing part of the transit over IP, e.g. by using a "Terminal server".

Given the above what do you have in your capture? Is there traffic to and from port 20000 (the IANA registered port for DNP3)? If so, does the traffic begin with the DNP3 frame header of 0x05 0x64?

Sharing a link to the capture on a public share will help immensely in diagnosing the issue.

grahamb's avatar grahamb (2021-12-09 08:56:54 +0000) edit
more
  • delete
add a comment see more comments