On 05/07/2011 21:42, Graeme Melia wrote:
I am using Wireshark to to monitor a multi-serial port device that
communicates to a server via IP.
The outgoing TCP messages from the server has the DNP3 message embedded,
usually in one packet.
The incoming DNP3 messages are being broken up so that each byte is a
single TCP packet, or a 23 byte DNP3 message becomes 23 TCP packets each
with a payload of 1 data byte.
The problem is that the Wireshark DNP3 dissector is not reassembling the
original DNP3 message. I have checked the DNP3 option to reassemble
messages split across multiple TCP packets and the TCP setting to allow
subdissector to reassemble TCP streams.
Is this a bug or have I missed something?
Actually
thinking about your problem description a little more, the DNP3
dissector needs to see at least two bytes in the TCP packet (the
0x0564 data link layer start sequence) to determine that the
data is DNP3. If your device is only sending back one byte per
tcp packet then I don't think the dissector will pick it up.
Most (all) of the serial port to IP devices I've used have a
buffer or delay setting to not transmit an IP packet until a
number of characters have been received or no characters have
been received for a time period (i.e. end of serial packet). Do
you have any settings on your device to do this? Apart from
allowing Wireshark to correctly decode the data, it will also be
much more efficient for your end use case.
--
Regards,
Graham Bloice
|
