Frame 1804: 137 bytes on wire (1096 bits), 137 bytes captured (1096 bits) Encapsulation type: Ethernet (1) Arrival Time: Mar 19, 2019 01:54:25.948187000 UTC UTC Arrival Time: Mar 19, 2019 01:54:25.948187000 UTC Epoch Arrival Time: 1552960465.948187000 [Time shift for this packet: 0.000000000 seconds] [Time delta from previous captured frame: 0.000897000 seconds] [Time delta from previous displayed frame: 0.000000000 seconds] [Time since reference or first frame: 570.311421000 seconds] Frame Number: 1804 Frame Length: 137 bytes (1096 bits) Capture Length: 137 bytes (1096 bits) [Frame is marked: False] [Frame is ignored: False] [Protocols in frame: eth:ethertype:ip:tcp:iec60870_104:iec60870_asdu] Ethernet II, Src: Intel_57:2b:42 (64:32:a8:57:2b:42), Dst: Netgear_b6:93:f1 (20:e5:2a:b6:93:f1) Destination: Netgear_b6:93:f1 (20:e5:2a:b6:93:f1) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Source: Intel_57:2b:42 (64:32:a8:57:2b:42) .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default) .... ...0 .... .... .... .... = IG bit: Individual address (unicast) Type: IPv4 (0x0800) [Stream index: 4] Internet Protocol Version 4, Src: 10.0.90.215, Dst: 103.1.184.108 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) 0000 00.. = Differentiated Services Codepoint: Default (0) .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0) Total Length: 123 Identification: 0x02ae (686) 010. .... = Flags: 0x2, Don't fragment 0... .... = Reserved bit: Not set .1.. .... = Don't fragment: Set ..0. .... = More fragments: Not set ...0 0000 0000 0000 = Fragment Offset: 0 Time to Live: 128 Protocol: TCP (6) Header Checksum: 0xb9d6 [validation disabled] [Header checksum status: Unverified] Source Address: 10.0.90.215 Destination Address: 103.1.184.108 [Destination GeoIP: Sydney, AU, ASN 133159, Mammoth Media Pty Ltd] [Destination GeoIP City: Sydney] [Source or Destination GeoIP City: Sydney] [Destination GeoIP Country: Australia] [Source or Destination GeoIP Country: Australia] [Destination GeoIP ISO Two Letter Country Code: AU] [Source or Destination GeoIP ISO Two Letter Country Code: AU] [Destination GeoIP AS Number: 133159] [Source or Destination GeoIP AS Number: 133159] [Destination GeoIP AS Organization: Mammoth Media Pty Ltd] [Source or Destination GeoIP AS Organization: Mammoth Media Pty Ltd] [Destination GeoIP Latitude: -33.8071] [Source or Destination GeoIP Latitude: -33.8071] [Destination GeoIP Longitude: 151.1289] [Source or Destination GeoIP Longitude: 151.1289] [Stream index: 8] Transmission Control Protocol, Src Port: 49205, Dst Port: 2404, Seq: 2901, Ack: 892, Len: 83 Source Port: 49205 Destination Port: 2404 [Stream index: 49] [Stream Packet Number: 93] [Conversation completeness: Incomplete, DATA (15)] ..0. .... = RST: Absent ...0 .... = FIN: Absent .... 1... = Data: Present .... .1.. = ACK: Present .... ..1. = SYN-ACK: Present .... ...1 = SYN: Present [Completeness Flags: ··DASS] [TCP Segment Len: 83] Sequence Number: 2901 (relative sequence number) Sequence Number (raw): 346376333 [Next Sequence Number: 2984 (relative sequence number)] Acknowledgment Number: 892 (relative ack number) Acknowledgment number (raw): 1150901465 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Accurate ECN: Not set .... 0... .... = Congestion Window Reduced: Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: ·······AP···] Window: 63349 [Calculated window size: 63349] [Window size scaling factor: -2 (no window scaling used)] Checksum: 0x84af [unverified] [Checksum Status: Unverified] Urgent Pointer: 0 [Timestamps] [Time since first frame in this TCP stream: 281.288774000 seconds] [Time since previous frame in this TCP stream: 0.000897000 seconds] [SEQ/ACK analysis] [This is an ACK to the segment in frame: 1803] [The RTT to ACK the segment was: 0.000897000 seconds] [iRTT: 0.391623000 seconds] [Bytes in flight: 83] [Bytes sent since last PSH flag: 83] TCP payload (83 bytes) [PDU Size: 99] IEC 60870-5-104: <- I (13502,2340) Data: 1b84d5b05df4c493c530c2eb8ddab1d0acaf6e7ff8101823339ad80753a3aa62dbe3937d0d72af213648ad1b723c00a477901d START ApduLen: 46 .... .... .... .... .... .... .... ...0 = Type: I (0x0) .... .... .... .... 0110 1001 0111 110. = Tx: 13502 0001 0010 0100 100. .... .... .... .... = Rx: 2340 IEC 60870-5-101/104 ASDU: ASDU=36521 M_SP_TB_1 Reqco1_TEST IOA[117]=6861912,... 'single-point information with time tag CP56Time2a' TypeId: M_SP_TB_1 (30) 0... .... = SQ: False .111 0101 = NumIx: 117 ..10 0110 = CauseTx: Reqco1 (38) .0.. .... = Negative: False 1... .... = Test: True OA: 221 Addr: 36521 IOA: 6861912 IOA: 6861912 SIQ: 0x97 .... ...1 = SPI: On ...1 .... = BL: Blocked ..0. .... = SB: Not Substituted .0.. .... = NT: Topical 1... .... = IV: Invalid CP56Time: Feb 27, 2016 11:05:56.112000000 UTC MS: 56112 ..00 0101 = Min: 5 .1.. .... = GEN: Substituted 0... .... = IV: Valid ...0 1100 = Hour: 12 1... .... = SU: DST ...1 1011 = Day: 27 110. .... = DOW: 6 .... 1110 = Month: 14 .111 0011 = Year: 115 IOA: 1995968 IOA: 1995968 SIQ: 0x01 .... ...1 = SPI: On ...0 .... = BL: Not blocked ..0. .... = SB: Not Substituted .0.. .... = NT: Topical 0... .... = IV: Valid [BoundError Unreassembled Packet: IEC 60870-5-101/104 ASDU] [Expert Info (Note/Reassemble): Unreassembled fragment (change preferences to enable reassembly)] [Unreassembled fragment (change preferences to enable reassembly)] [Severity level: Note] [Group: Reassemble]