700 likes | 1.72k Views
DNP3/TCP Decoder. Matt Michael. Presentation Overview. Motivation DNP3 overview Available decoders Implementation details Example of use of decoder. Motivation. I needed to learn about DNP3 to perform the investigation. Alarm s from sectionalizing switch controllers needed investigation.
E N D
DNP3/TCP Decoder Matt Michael
Presentation Overview • Motivation • DNP3 overview • Available decoders • Implementation details • Example of use of decoder
Motivation • I needed to learn about DNP3 to perform the investigation. • Alarms from sectionalizing switch controllers needed investigation. 01/07/11 11:26:23 Z785 UNKNOWN OBJECT REQUEST DETECTED
Sectionalizing switch • Used to reconfigure distribution network for maintenance or repairs [http://www.sandc.com/edocs_pdfs/EDOC_001894.pdf]
DNP3 History • Developed by Westronic to provide a common communication protocol for the utility industry. • Used some work from IEC 870-5 • Intended to be usable on 1200 bps links, so limited the amount of data to be sent, but still provide many features.
DNP3 Feature Overview • Broadcasting. • Select-Before-Operate – Or Not. • Time-Stamped Data. • Accurate Time Synchronization. • Quality Flags. • Multiple Data Formats. • Scan Groups. • Layer Separation. • Report-by-Exception. • Internal Indications. [§1.5 DNP3 Specification Vol. 1]
DNP3 has layers: • Data Link Layer • Transport Function • Application Layer [Fig. 2.1-1 DNP3 Specification Vol. 1]
Data Link Layer [p.34 DNP3 Specification Vol. 1]
Transport Function [p.33 DNP3 Specification Vol. 1]
Application Layer [p.32 DNP3 Specification Vol. 1]
Objects, Groups and Variations [p.9 DNP3 Specification Vol. 2]
Those Unknown Object Requests? • Different ways to tell the IED what time it is • SCADA system only sends Object Group 50 Variation 2 • Switch controller only knows about Object Group 50 Variation 1
DNP3 is not trivial to decipher [p.33 DNP3 Specification Vol. 1]
Write my own and learn • Get the features I want: • Command-line • Text output so can use tools like tail and grep • Runs on Linux machine that runs SCADA communication software • Provide motivation to learn details of DNP3 • Specification is in 8 volumes plus appendices
DNP3 has layers… • Data Link Layer • Transport Function • Application Layer
Implementation details, part 2 DNP3 “magic numbers” means lots of constants had to be defined
Implementation details, part 3 Net::PcapUtils makes using libpcap easy
dnpdecode.pl operation • Has to run with root permissions for libcap access to NIC • Single line of text for each DNP3 packet
Too many objects and variations • 45 object groups, each with up to 10 variations • Not enough time to write decoding subroutines for them all, so resort to hex dump for most objects:
dnpdecode.pl output for control operation, part 1 • Master issues a select • Master is 192.168.5.155, outstation 192.168.5.1 • DNP source address 100, destination address 1 • “SLCT” is abbreviation for Select • The operation is a Pulse On (“PULSEON”), on for 250ms and off for 125ms.
dnpdecode.pl output for control operation, part 2 • Outstation responds (“RESP”) • Echoes what the master sent so that master can be sure the message was correctly received
dnpdecode.pl output for control operation, part 3 • Master issues command to perform operation • Same information as the Select step, but is now an Operate (“OPRT”) command.
dnpdecode.pl output for control operation, part 4 • Outstation responds with an error • This outstation does not support a Pulse On operation for the selected point so responds with NOT_SUPPORTED.
Conclusion • I learned a lot about DNP3 – mostly that it is complex!
Thank you • Questions? mmichael@vandals.uidaho.edu