How to monitor IEC 61850 traffic?
Most popular free tool for analyzing traffic is Wireshark. This tool “knows” IEC 61850 traffic and provides means for comprehensive analysis of data flow.
Let’s have a look at a practical example of Wireshark application so as to understand provided functionality.
Let’s assume that we have Ethernet network which besides an Ethernet switch includes 2 merging units and 2 protection IEDs. Each merging unit is set up to provide single IEC 61850-9-2LE stream (80 samples/cycle). One of the IEDs – for example ALSTOM IED – is set to send a GOOSE-message with destination MAC-address equal to 01:0c:cd:01:00:01 and goID equal to tkvlALSTGSE1. Second IED – let it be SEL – is set to generate 2 GOOSE-messages: one with destination MAC-address equal to 01:0c:cd:01:00:30 and goID equal to tkvlSELGSE2 and another with destination MAC-address equal to 01:0c:cd:01:00:01 and goID equal to tkvlSELGSE1. Let’s assume that our aim is to make sure that ALSTOM IED is sending GOOSE-message according to mentioned configuration.
Open Wireshark and choose the Ethernet network adapter of the computer (used to connect computer to Ethernet switch) in the main window of the application.
To start capturing data click on the appropriate interface. Having done this, you will see a window where all the traffic – incoming and outgoing – will be displayed in online mode. After some time stop capturing data to analyze it. To stop capturing process click on the menu, indicated in the picture below:
As it can be seen from the capture – there is only IEC 6180-9-2LE traffic. One can’t see GOOSE-messages. But actually there are there. This is because according to IEC 61850-9-2LE 4000 messages are sent every second (at 50 Hz with sampling frequency of 80 samples per cycle). At the same time during this one-second time interval in steady state less number of GOOSE-messages may be transmitted or they may not be transmitted at all. In our case as we have been capturing data for some time there must be GOOSE-messages if the configuration of the IEDs is correct. To check this we should apply display filter. For only GOOSE-messages to be displayed in “Filter” box specify “goose” and press Enter. You will get the following result:
Application excluded IEC 61850-9-2LE traffic from visualization. But if there are several IEDs sending GOOSE-messages it will be reasonable to filter the needed one so as to inspect it further without any inconveniences. For this one has to set a more elaborated filtering condition and this can be done using available logical and comparison operators.
Available logical operators are:
- and (&&) – and;
- or (||) – or;
- xor (^^) – excluding or;
- not (!) – not;
Available comparison operators are:
- eq (==) – equal;
- ne (!=) – not equal;
- gt (>) – greater than;
- lt (<) – less than;
- ge (>=) – greater or equal;
- le (<=) – less or equal;
We know MAC-addres of the GOOSE-message which is of the interest for us to be sent by ALSTOM according to the configuration description (01:0c:cd:01:00:01). For filtering by MAC addresses one should use primitives eth.src (filtering by source MAC address) and eth.dst (filtering by destination MAC address). Let’s modify the condition: (goose)&&(eth.dst==01:0c:cd:01:00:01).
Having applied new filtering condition we can see that application still displays GOOSE-messages sent by SEL. This is because two GOOSE-messages (one by ALSTOM and another by SEL) have identical MAC destination address. This is frequently met in practice when commissioning guys do not think over this setting (but should otherwise they may have problems using multicast filtering function on Ethernet switches to create function related multicast domains).
Let’s modify the filtering condition again so as to display only those messages sent by ALSTOM. We know “goID” parameter of GOOSE Control Block configured in ALSTOM (=tkvlALSTGSE1), so we modify the condition in the following way: (goose.goID==tkvlALSTGSE1)&&(eth.dst==01:0c:cd:01:00:01).
Now Wireshark displays only GOOSE-messages sent by ALSTOM IED and you can go on with analyzing them with other messages in the network not creating a mess. It is worth noting that for filtering you can use any other known parameter instead of “goID” (“gocbRef”, “dat set”, etc.).
What’s about another applications?