tcpdump mailing list archives
Request for new pcap/pcapng DLT Format
From: chris_bontje () selinc com
Date: Mon, 13 May 2013 14:04:37 -0600
Hi, I would like to request a custom DLT type for the Schweitzer Engineering Laboratories "RTAC" product. Information on the product/purpose of the DLT is included below: The RTAC product family (SEL-3530, SEL-2241, SEL-3505) is a Linux-based Automation Controller product that is capable of interfacing with SEL and 3rd-party equipment using a variety of standard industrial protocols such as SEL FM, DNP3, Modbus, C37.118, Telegyr 8979 and others. Each protocol instance (master/client or slave/server) is configured to utilize either Ethernet or EIA-232/485 serial connectivity with protocol variations for each medium taken into account. More information is available at www.selinc.com/sel-3530 The configuration software for the RTAC platform is named AcSELerator RTAC (SEL-5033) and is used to set up all communications and user logic for the controller as well as provide downloading and online debugging facilities. One particularly useful aspect of the online debugging capabilities is a robust Communication Monitor tool that can show raw data streams from either serial or Ethernet interfaces. Many similar products have this same capability but the RTAC software goes a step beyond by providing a "save-as" function to save all captured data into pcap format for further analysis in Wireshark. All Ethernet-based capture files will have a packets with a "Linux Cooked Capture" Ethernet-header including the "source" MAC address of the device responsible for the generation of the message and the TCP/IP header(s) maintained from the original conversation. The application data from the message will follow as per a standard Wireshark packet. Serial-based pcap capture files are stored using "User 0" DLT type 147 to specify a user-defined dissector for pcap data and contain a standard 12-byte serial data header followed by the application payload data from actual rx/tx activity on the line. Some useful information can be retrieved from the 12-byte header information, such as conversation time-stamps, UART function and EIA-232 serial control line states at the time of the message. The dissector is intended to be called from the DLT_USER preferences configuration with User 0 (DLT=147) set with a 'Header Size' of '12' and a 'Header Protocol' of 'rtacser'. The 'Payload Protocol' can be configured to use whatever standardized industrial protocol is present on the line for attempted dissection (selfm, mbrtu, dnp3.udp, synphasor) The general format of this 12-byte header is as follows: +---------------------------+ | Relative TimeStamp (Left) | | (4 Bytes) | +---------------------------+ | Relative TimeStamp (Right)| | (4 Bytes) | +---------------------------+ | Serial Event Type | | (1 Byte) | +---------------------------+ | UART Control Line State | | (1 Byte) | +---------------------------+ | Footer | | (2 Bytes) | +---------------------------+ | Payload | . . . . . . 1) The relative timestamp is 8 bytes, the "left" and "right" components are 32-bit integers representing the left and right-hand side of the decimal point, respectively 2) The Serial Event type represents the type of packet entry in the pcap file: { 0x00, "STATUS_CHANGE" }, { 0x01, "DATA_TX_START" }, { 0x02, "DATA_RX_START" }, { 0x03, "DATA_TX_END" }, { 0x04, "DATA_RX_END" }, { 0x05, "CAPTURE_DATA_LOST" }, { 0x06, "CAPTURE_COMPLETE" }, { 0x07, "FRAMING_ERROR" }, { 0x08, "PARITY_ERROR" }, { 0x09, "SERIAL_BREAK_EVENT" }, { 0x0A, "SERIAL_OVERFLOW_EVENT" }, 3) The UART Control Line State is a masked-bit representation of the serial UART lines (asserted, de-asserted) at the time of the packet generation: CTS 0x01 DCD 0x02 DSR 0x04 RTS 0x08 DTR 0x10 RING 0x20 MBOK 0x40 4) The 2-byte footer is undefined and for future use. The Wireshark code submission currently exists at: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8644. The current plan is to have a User Preference for the payload protocol decoding, selecting DNP3, Modbus, Synchrophasor or SELFM. Let me know if any more details are needed. Thanks, Chris Bontje Schweitzer Engineering Labs Automation Application Specialist, SW Region (509)334-5664 chris_bontje () selinc com _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Request for new pcap/pcapng DLT Format chris_bontje (May 18)
- Re: Request for new pcap/pcapng DLT Format Guy Harris (May 20)
- Re: Request for new pcap/pcapng DLT Format chris_bontje (May 20)
- Re: Request for new pcap/pcapng DLT Format Guy Harris (May 20)
- Re: Request for new pcap/pcapng DLT Format chris_bontje (May 20)
- Re: Request for new pcap/pcapng DLT Format Guy Harris (May 20)
- Message not available
- Re: Request for new pcap/pcapng DLT Format Guy Harris (May 21)
- Message not available
- Re: Request for new pcap/pcapng DLT Format Guy Harris (Jun 13)
- Re: Request for new pcap/pcapng DLT Format Guy Harris (Jun 13)
- Message not available
- Re: Request for new pcap/pcapng DLT Format Guy Harris (May 20)