Taxonomy feed.
In a pcap from a digital substation attention usually goes to GOOSE, SV, MMS and PTP. But useful diagnostics often live lower — in the MAC addresses. The article explains what an OUI is and how MA-L, MA-M, MA-S and CID differ, how to guess a vendor from the first octets, why a shared Source MAC on two IEDs breaks MMS and triggers MAC flapping, and what a digital-substation engineer should check on a first pass over a pcap.
A practical reference for capture filters in Wireshark when working with IEC 61850 traffic. Why a display filter is not enough on a digital substation (especially of the process-bus generation), how a capture filter differs from a display filter, how the BPF (Berkeley Packet Filter) syntax is structured, and ready-to-use filter recipes for GOOSE and SV — from selecting by EtherType and OUI to APPID and multicast addresses.
A practical guide to three Wireshark features that dramatically speed up digital substation traffic analysis — display filters, frame marking, and custom IED names.
There are several applications that can be used for monitoring IEC 61850 traffic in the Ethernet network. But there is one free-of-charge option everyone should know about.
When configuring GOOSE and Sampled Values communications it is useful (and sometimes is a must) to have the possibility to check VLAN and Priority tags. Whether your network adapter driver strips tagging or not will define the availability of these parameters not only while using Wireshark, but also other specific tools for analysis of GOOSE and Sampled Values traffic (Omicron SVScout, Omicron IEDScout, GOOSE Inspector, etc.). Today we will see how to make Intel network adapters not to strip this important info.