Skip to content
GitLab
Closed
Created by Mike Mike@yyattt

IEC 60870-5-101 link address field is 1 byte, but should have configurable length of 0,1 or 2 bytes

Summary

(Summarize the bug encountered concisely) The iec60870-5-101 protocol has a configurable length link address field of 0,1 or 2 octets. In the dissector, it is fixed at 1-byte, meaning if you are analysing traffic with a link address that's 0 or 2 bytes long, the rest of the frame is decoded incorrectly.

Steps to reproduce

(How one can reproduce the issue - this is very important) Edit->Preferences->Protocols->IEC 60870-5-101 The lengths of the COT, CAA and IOA parameters can be set but the link address length cannot. The standard allows for a link address length of 0,1 or 2 octets.

If you try to monitor IEC 60870-5-101 traffic where the link address isn't 1 octet long, the dissector decodes the rest of the packet wrongly.

What is the current bug behavior?

(What actually happens) The beginning of the frame decodes correctly, but from the link address onwards, the wrong data is picked up.

What is the expected correct behavior?

(What you should see instead)

We should be able to set the length of the link address field to match the configuration of the devices being monitored. If the link address could be set to the correct length, I imagine the rest of the frame would be decoded correctly.

A good reference of the frame format is shown here: https://infosys.beckhoff.com/english.php?content=../content/1033/tcplclibiec870_5_101link/html/tcplclibiec870_5_101link_telegrammstructure.htm&id=28501

Sample capture file

(If possible attach a sample capture file showing this issue) I can't share a capture file for security reasons, but I will share a screenshot of an example frame. image

You can see the byte that is selected is identified as "typeid (1 byte)", but this byte is actually the 2nd byte of the link address. The type id is the next one - 0b

This issue would apply to both the fixed length and variable length frame formats.

Note that this 101 traffic is encapsulated in TCP by a serial to IP convertor, the 101 data starts at byte 54.

Relevant logs and/or screenshots

Screenshot of preferences, where I was hoping to see the option. The settings in the screenshot are matched to the settings on the device I'm monitoring, so you can use them when looking at the example frame. image

Build information

image

I hope this provides enough info and that it's an easy fix. Many thanks!

Edited by Gerald Combs
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information