IEC 60870-5-104 and IEC 61850 Protocol Analysis with Wireshark https://www.packetsafari.
com/blog/2022/08/03/iec104-61850-analysis
Learn packet analysis with challenging Wireshark labs (+25 advanced PCAP case-
Learn more
studies) !
Info · Aug 3, 2022
IEC 60870-5-104 and IEC 61850
Protocol Analysis with Wireshark
Oliver Ripka
Table of contents
Introduction to IEC 60870-5-104 and IEC 61850
Protocols
The power industry relies on robust communication protocols to ensure the safe and
efficient operation of electrical substations. Two widely adopted protocols are IEC
60870-5-104 (IEC 104) and IEC 61850. IEC 104 is a standard telecontrol protocol used for
remote control and monitoring of substations, while IEC 61850 is a comprehensive
standard for substation automation, covering various aspects such as data modeling,
communication services, and system configuration.
As a packet analysis expert, understanding these protocols is crucial when
troubleshooting network issues and optimizing communication within a substation. In
this article, we will explore the process of analyzing IEC 104 and IEC 61850 traffic using
Wireshark, including real-world examples and expert tips.
Analyzing IEC 60870-5-104 Traffic with Wireshark
Wireshark provides built-in support for decoding and analyzing IEC 104 traffic. To
capture IEC 104 traffic on your network, use the following capture filter:
1 of 3 9/16/2024, 5:38 PM
�IEC 60870-5-104 and IEC 61850 Protocol Analysis with Wireshark https://www.packetsafari.com/blog/2022/08/03/iec104-61850-analysis
tcp port 2404
Once you have captured some IEC 104 traffic, apply the following display filter to focus
on relevant packets:
iec104
In the packet details pane, you can inspect the IEC 104 protocol structure, including the
Application Protocol Data Unit (APDU) and its various fields such as Type Identification,
Cause of Transmission, and Information Objects. By analyzing these fields, you can
identify the type of command or information being exchanged and pinpoint potential
issues in the communication.
Analyzing IEC 61850 Traffic with Wireshark
Wireshark also supports IEC 61850 protocol analysis, including Manufacturing Message
Specification (MMS) and Generic Object-Oriented Substation Events (GOOSE) traffic. To
capture IEC 61850 traffic, use the following capture filter:
udp portrange 102-65535
For MMS traffic, apply this display filter:
mms
For GOOSE traffic, use this display filter:
sv or goose
The packet details pane will show the IEC 61850 message structure, including the MMS
or GOOSE header, and the data payload. You can explore various fields like Logical
Nodes, Data Attributes, and Quality Flags to understand the exchanged information and
2 of 3 9/16/2024, 5:38 PM
�IEC 60870-5-104 and IEC 61850 Protocol Analysis with Wireshark https://www.packetsafari.com/blog/2022/08/03/iec104-61850-analysis
identify potential communication issues or misconfigurations.
Expert Tips for IEC Protocol Analysis
1. Familiarize yourself with the IEC 104 and IEC 61850 protocol specifications to better
understand the message structure and identify potential issues.
2. Use Wireshark's Statistics menu to analyze protocol-specific statistics, such as IEC
104 Type Identification distribution or IEC 61850 message types.
3. Create custom Wireshark profiles for IEC protocol analysis, including custom
columns, colorization rules, and display filters.
By understanding IEC 104 and IEC 61850 protocol analysis with Wireshark, you can
significantly improve your ability to troubleshoot and optimize substation networks. To
further enhance your packet analysis skills, consider enrolling in our WIRED for Packet
Analysis training course (https://oripka.de/en/wired/) and exploring the advanced
features of our PacketSafari PCAP analyzer (https://app.packetsafari.com).
3 of 3 9/16/2024, 5:38 PM
