First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Unable to access data in second IOA

Dear all I'm using pyshark(python) to process dissected IEC 60870-5-104 packets. I'm able to access first IOA in the captured data but unable to access second/third IOA if NumIx >1. I'm using the following code:

cap=pyshark.LiveCapture(interface='Ethernet',display_filter="104apci and 104asdu");
IOA_Val = ((cap[4].IOA));
print(IOA_VAL)

Layer 4 of Pcap

Layer 104ASDU:
TypeId: M_SP_NA_1 (1)
0... .... = SQ: False
.000 0010 = NumIx: 2
..01 0100 = CauseTx: Inrogen (20)
.0.. .... = Negative: False
0... .... = Test: False
OA: 2
Addr: 1
IOA: 345
IOA: 345
SIQ: 0x00
.... ...0 = SPI: Off
...0 .... = BL: Not blocked
..0. .... = SB: Not Substituted
.0.. .... = NT: Topical
0... .... = IV: Valid
IOA: 57756
IOA: 57756
SIQ: 0x00
.... ...0 = SPI: Off
...0 .... = BL: Not blocked
..0. .... = SB: Not Substituted
.0.. .... = NT: Topical
0... .... = IV: Valid

This works if NumIx=1 but doesn't work if NumIx>1

How to access second IOA in same same packet

In simple words, I'm able to access IOA data of IOA Valu:345 but unable to access IOA data of IOA:57756

Pcap file: https://drive.google.com/open?id=1Z3c...

updated 2018-10-14 07:53:00 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
edit flag offensive 0 remove flag close merge delete

Comments

Can you upload the capture to a publicly accessible location, e.g. CloudShark, Google Drive, DropBox etc. and then post a link to the capture by amending your question.

grahamb's avatar grahamb (2018-10-14 13:42:37 +0000) edit
more
  • delete

I Have shared tthe pcap file

Thinakaran_Gunasekar's avatar Thinakaran_Gunasekar (2018-10-14 14:22:02 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

There seems to be an issue directly accessing the 104asdu element, maybe because its name begins with a number.. Using getattr() fixes that, then noting that the IOA and SIQ elements are of type "LayerField" with a "fields" array. This gives the following (note the capture you provided only had one packet, so I'm using cap[0] to access it):

>>> asdu = getattr(cap[0], "104asdu")
>>> asdu.ioa.fields[0]
<LayerField 104asdu.ioa: 345>
>>> asdu.siq.fields[0]
<LayerField 104asdu.siq: 0x00000000>
>>> asdu.ioa.fields[1]
<LayerField 104asdu.ioa: 57756>
>>> asdu.siq.fields[1]
<LayerField 104asdu.siq: 0x00000000>

pyshark could do with more documentation describing these types. I used a mix of dir() and type() to work this out.

grahamb's avatar
23.8k
grahamb
answered 2018-10-14 17:05:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank You It worked perfectly

Thinakaran_Gunasekar's avatar Thinakaran_Gunasekar (2018-10-15 14:35:41 +0000) edit
more
  • delete

How to get only IOA, i.e asdu.ioa.fields[0] returns LayerField 104asdu.ioa: 345 but only 345 is required.

Thinakaran_Gunasekar's avatar Thinakaran_Gunasekar (2018-10-20 11:52:32 +0000) edit
more
  • delete

Hi Thinakaran, Is this solved?

sajathps's avatar sajathps (2022-06-08 07:44:35 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer