Prerequisites
The Pcap transport handler is located in the Pcap Wrapper Feature.
The protocol itself
The source of this section is Wikipedia.
In the field of computer network administration, pcap (packet capture) consists of an application programming interface (API) for capturing network traffic. Unix-like systems implement pcap in the libpcap library; Windows uses a port of libpcap known as WinPcap.
Monitoring software may use libpcap and/or WinPcap to capture packets travelling over a network and, in newer versions, to transmit packets on a network at the link layer, as well as to get a list of network interfaces for possible use with libpcap or WinPcap.
The pcap API is written in C, so other languages such as Java, .NET languages, and scripting languages generally use a wrapper; no such wrappers are provided by libpcap or WinPcap itself. C++ programs may link directly to the C API or use an object-oriented wrapper.
Used library
This Odysseus feature uses jNetPcap.
PCap file transport handler
In Odysseus, a file transport handler is implemented to read Pcap files. Writing Pcap files is currently not supported! See the examples below for the usage of the transport handler in combination with the IEC 60870-5-104 protocol handler
#PARSER PQL
#RUNQUERY
input := ACCESS({
transport = 'pcapfile',
protocol = 'iec60870-5-104',
wrapper = 'GENERICPUSH',
source = 'Pcap',
datahandler = 'tuple',
options = [['file', somepcapfile.pcap]],
schema = [
['typeId', 'object'],
['isSequenceOfElements', 'boolean'],
['causeOfTransmission', 'object'],
['test', 'boolean'],
['negativeConfirm', 'boolean'],
['originatorAddress', 'integer'],
['commonAddress', 'integer'],
['sequenceLength', 'integer'],
['informationObjects', 'list'],
['areInfosPrivate', 'boolean']
]
}
)
Data types
- Application Service Data Unit (ASDU)
- The ASDU is the payload of the application protocol data unit (APDU). Its structure is defined in IEC 60870-5-104. The ASDU consists of the Data Unit Identifier and a number of Information Objects. The Data Unit Identifier contains:
TypeId(1 byte)- Variable Structure Qualifier (1 byte) - specifies how many Information Objects and Information Element sets are part of the ASDU.
- Cause of Transmission (COT, 1 or 2 bytes)
- The first byte codes the actual
CauseOfTransmission, a bit indicating whether the message was sent for test purposes only and a bit indicating whether a confirmation message is positive or negative. The optional second byte of the Cause of Transmission field is the Originator Address. It is the address of the originating controlling station so that responses can be routed back to it.
- The first byte codes the actual
- Common Address of ASDU (1 or 2 bytes)
- the address of the target station or the broadcast address. If the field length of the common address is 1 byte then the addresses 1 to 254 are used to address a particular station (station address) and 255 is used for broadcast addressing. If the field length of the common address is 2 bytes then the addresses 1 to 65534 are used to address a particular station and 65535 is used for broadcast addressing. Broadcast addressing is only allowed for certain TypeIDs.
- A list of Information Objects containing the actual actual data in the form of Information Elements.
In Odysseus, the IEC 60870-5-104 transport handler sends a tuple to the data handler with the following schema:
- typeId: Object
- isSequenceOfElements: Boolean
- causeOfTransmission: Object
- test: Boolean
- negativeConfirm: Boolean
- originatorAddress: Integer
- commonAddress: Integer
- sequenceLength: Integer
- informationObjects: List
- areInfosPrivate: Boolean
It is recommended to use the Tuple datahandler.