Learn packet analysis with challenging Wireshark labs (+25 advanced PCAP case-studies) !
Info·

IEC 60870-5-104 and IEC 61850 Protocol Analysis with Wireshark

Introduction to IEC 60870-5-104 and IEC 61850 Protocols

The power industry relies on robust communication protocols to ensure the safe and efficient operation of electrical substations. Two widely adopted protocols are IEC 60870-5-104 (IEC 104) and IEC 61850. IEC 104 is a standard telecontrol protocol used for remote control and monitoring of substations, while IEC 61850 is a comprehensive standard for substation automation, covering various aspects such as data modeling, communication services, and system configuration.

As a packet analysis expert, understanding these protocols is crucial when troubleshooting network issues and optimizing communication within a substation. In this article, we will explore the process of analyzing IEC 104 and IEC 61850 traffic using Wireshark, including real-world examples and expert tips.

Analyzing IEC 60870-5-104 Traffic with Wireshark

Wireshark provides built-in support for decoding and analyzing IEC 104 traffic. To capture IEC 104 traffic on your network, use the following capture filter:

tcp port 2404

Once you have captured some IEC 104 traffic, apply the following display filter to focus on relevant packets:

iec104

In the packet details pane, you can inspect the IEC 104 protocol structure, including the Application Protocol Data Unit (APDU) and its various fields such as Type Identification, Cause of Transmission, and Information Objects. By analyzing these fields, you can identify the type of command or information being exchanged and pinpoint potential issues in the communication.

Analyzing IEC 61850 Traffic with Wireshark

Wireshark also supports IEC 61850 protocol analysis, including Manufacturing Message Specification (MMS) and Generic Object-Oriented Substation Events (GOOSE) traffic. To capture IEC 61850 traffic, use the following capture filter:

udp portrange 102-65535

For MMS traffic, apply this display filter:

mms

For GOOSE traffic, use this display filter:

sv or goose

The packet details pane will show the IEC 61850 message structure, including the MMS or GOOSE header, and the data payload. You can explore various fields like Logical Nodes, Data Attributes, and Quality Flags to understand the exchanged information and identify potential communication issues or misconfigurations.

Expert Tips for IEC Protocol Analysis

  1. Familiarize yourself with the IEC 104 and IEC 61850 protocol specifications to better understand the message structure and identify potential issues.
  2. Use Wireshark's Statistics menu to analyze protocol-specific statistics, such as IEC 104 Type Identification distribution or IEC 61850 message types.
  3. Create custom Wireshark profiles for IEC protocol analysis, including custom columns, colorization rules, and display filters.

By understanding IEC 104 and IEC 61850 protocol analysis with Wireshark, you can significantly improve your ability to troubleshoot and optimize substation networks. To further enhance your packet analysis skills, consider enrolling in our WIRED for Packet Analysis training course (https://oripka.de/en/wired/) and exploring the advanced features of our PacketSafari PCAP analyzer (https://app.packetsafari.com).