Can I capture the DNP3 traffic?

gmat...@mistnet.io

unread,

Aug 7, 2018, 6:07:08 PM8/7/18

to opendnp3

With this simulator, will I be able to capture DNP3 packets?

-Geoff

Adam Crain

unread,

Aug 7, 2018, 6:18:42 PM8/7/18

to opendnp3

Hi Geoff,

Opendnp3 is a library for implementing compliant outstation and masters, and as such, is not oriented towards "packet capture".

If you need passive packet capture, you're way better off just using libpcap, and then analyzing the pcaps using wireshark which has a decent dissector for DNP3.

If you need programmatic analysis of DNP3 messages in C++, opendnp3 does have a decoder class:

https://github.com/automatak/dnp3/blob/2.0.x/cpp/libs/include/dnp3decode/Decoder.h

This class is used to implement the web-based decoder found on the project homepage:

https://www.automatak.com/opendnp3/#decoder

It allows you to input data at any of the 3 levels of the protocol, and receive callbacks describing the data as log statements.

I've re-purposed some of the parsing internals in the past to implement plugins for deep packet inspection firewalls:

https://www.ultra-3eti.com/news/3eti-introduces-first-cyber-security-solution-for-vulnerability-prone-dnp3-in-industrial-control-systems/

This is beyond the scope of the public API however.

-Adam

Geoffrey Mattson

unread,

Aug 7, 2018, 6:23:14 PM8/7/18

to Adam Crain, opendnp3

Adam,

Thanks for the great information.

Sorry but I think my wording was poor.

I’m a newbie and want to do protocol analysis. I have my own protocol analysis engine based on BRO.

Can I redirect DNP3 streams between the simulated nodes so that I can feed them to my analysis engine?

Or is all the traffic kept internally in the simulator?

-Geoff

Geoffrey Mattson
President/CEO

MistNet.ai
https://www.mistnet.ai

1-650-665-9117

Adam Crain

unread,

Aug 7, 2018, 6:31:04 PM8/7/18

to opendnp3

Hi Geoff,

The library won't allow you to redirect or copy the raw socket traffic.

I haven't worked with IDS like BRO much, but my understanding is that the typical use case is that you hook it up to a passive tap on your switch/router, and just passively monitor packets, no?

If you can help me understand why you think you need to get the packets from opendnp3 instead of directly from the network, perhaps I can suggest another option...

-Adam

Geoffrey Mattson

unread,

Aug 7, 2018, 7:41:43 PM8/7/18

to Adam Crain, opendnp3

Hi Alan,

If the library sends packets over an actual network interface, that’s perfect. I can sniff the interface.

Is that what it does?

-Geoff

Adam Crain

unread,

Aug 7, 2018, 7:49:41 PM8/7/18

to opendnp3

Yes. The master demo is configured to communicate over the loopback by default. Change "127.0.0.1" to the external IP of the machine running the outstation.

https://github.com/automatak/dnp3/blob/2.0.x/cpp/examples/master/main.cpp#L48

^ The "0.0.0.0" can also be changed if you want to explicitly specify a NIC to be used.

The outstation demo listens for connections on all adapters by default:

https://github.com/automatak/dnp3/blob/2.0.x/cpp/examples/outstation/main.cpp#L76

-Adam

Reply all

Reply to author

Forward