IEC 61850 9-2 Sampled Values, Wireshark, and the "Cloudy" effect
There are several commercial tools available to capture and monitor IEC 61850-9-2 Sampled Values (SV) traffic, and they provide great functionality and benefits. But if you are running into a situation that requires SV packet inspection and no commercial tools are available, this article is for you! In the following lines, we are going to demonstrate how to use Wireshark to understand SV communication in a digital substation environment.
What is Wireshark?
Wireshark is a powerful open-source network protocol analyzer: https://www.wireshark.org/
What is the IEC 61850-9-2 SV protocol?
IEC 61850-9-2 Sampled Values (SV) standardize the transmitting of instantaneous power system data over an Ethernet communication channel using a publisher/subscriber mechanism. It is typically used by merging unit (MU) devices to transfer sampled current and voltages measurements over a switched Ethernet network. The picture below is one example of publisher MU acquiring currents and voltages from the electric power system, digitalizing the data through SV protocol, and transmitting to a subscriber protection relay over a switched network.
SV is a layer 2 protocol, which means it runs over the data link layer of the OSI model, and it has all the properties of an Ethernet frame such as; source and destination MAC addresses. The SV payload is defined in the IEC 61850-9-2 standard, and common harmonize to allow interoperability through the UCA IEC 61850-9-2 LE guideline. The most recent profiles can be found in IEC 61869-9.
"If you have any questions about the SV just leave a comment in the comment section."
Sampled Values packet inspection with Wireshark
1) Capturing SV bytes on-fly
Wireshark can access and record the traffic on the computer network interface card (NIC), but if you want to verify the correct behavior of the SV system, the capture' location is essential too. It is important to capture the traffic near the consumer source, using a tap channel, or the same switch (through a mirror port). The picture below displays a computer running Wireshark connected to the system over a switch mirror port listen to the traffic on the subscriber protection relay.
2) Packet inspection - Decoding Phase measurements on the wired
Once the packets were captured, it is possible to visualize and inspect the packet by packet in the Wireshark software. The packets are displayed using the OSI layer structure since the SV protocol is an Ethernet-based protocol two main layers are displayed: Frame and Ethernet. The figure below displays the information of the first captured SV packet.
The Frame section has packet size information (120 bytes). The Ethernet section displays the Source MAC (ca:fe:c0:ff:ee:69) and Destination MAC (01:0c:cd:04:00:02) addresses, and the VLAN Ethertype (0x8100). The Wireshark dissector is programmed to understand the VLAN section and keeps the decoding of the VLAN Ethernet section and finally reaches the Ethertype payload, IEC 61850/SV (0x88ba). The payload section is dissect using the IEC 61850-9-2 standard guidelines; a few important fields are the packet counter: smpCnt; and the time synchronization flag: smpSynch (for more info about the smpSynch refer to this article below).
You can notice that the seqData is not decoded, and the current and voltage measurements are not "easy" to read. But you can right-click in the packet and force the decoding of seqData as PhsMeas.
Once the seqData is decoded is possible to visualize the instantaneous power system measurements on the wired. A useful Wireshark feature is the capability to add columns to the workspace and export the data as a CSV file. Once the data is exported in CSV format is possible to use any data processing tool (MS Excel, Python, MATLAB,etc.) to process and analyze the data. The picture below was plotted from the "SV_Normal_Traffic.cap" file by the "plot_sv.py" Python code available at https://github.com/mgadelha/Sampled_Values.
From the picture above, it is possible to verify the raw currents from phase A, the smpCnt rollover without any discontinuity, and the MU smpSynch synchronization flag with the global time value (smpSynch = 2).
3) Verifying a Packet Loss situation
Wireshark standalone can also be used to visualize data. The picture below was extracted from the "SV_packet_Loss.cap", available at https://github.com/mgadelha/Sampled_Values, using the: Statistics -> I/O Graph functionality.
The data shown on the picture above represents the number of packets over time and the data were filtered using the display filter value of eth.dst = 01:0c:cd:04:00:02. From the picture is possible to verify a momentary valley interval of almost 3 seconds probably because of a slow network reconfiguration process. The packet's loss could be confirmed by looking at the subscriber protection relay communication log that shows an accumulated downtime duration of 3.026 seconds, and several SV STEAM LOST event records.
Conclusion
Wireshark is free of charge tools that can be used to analyze traffic in a digital substation. However, a few remarks are explained below:
- The regular computer NIC has a resolution of few milliseconds, and could lead to some misinterpretation when high time accuracy resolution data is necessary (.i.e frame interval over time);
The "SV_Normal_Traffic_regular_NIC.cap" trace file was made using a regular NIC card and has a milliseconds time accuracy, and the "SV_Normal_Traffic" was made with a special NIC hardware and has nanoseconds time accuracy. Both files are available at https://github.com/mgadelha/Sampled_Values. If you are curious to observe the effect of the time accuracy in an SV network capture I will encourage you to plot and compare the data from the two files.
- The amount of SV data can overwhelm the computer memory making the analysis infeasible. But there are some Wireshark techniques to make large captures more efficient.
The Wireshark is a great tool and can be used combined with some subscriber relay information without any special requirements to make static analyses and understand the behavior of the network.
Extra: The "cloudy" effect in a digital substation
In case you got here, the "SV_Loss_Sync.cap" trace file was recorded during a cloudy and rainy day in a digital substation. The merging unit was publishing data to a subscriber feeder relay using SV. Your task as a Protection/Automation/Network Engineer is to answer the following questions.
- What happens with time synchronization of the merging unit?
- How the "cloudy" effect can be avoided?
- For how long the feeder protection was compromised?
The file is available at https://github.com/mgadelha/Sampled_Values. Please, leave your answer in the comments section.
M.Tech (ESE), IISc Bangalore | B.Tech (EE), CoEP
1 年Mauricio Silveira Sir, We are developing a packet sniffing utility for all IEC61850 SCADA network traffic. In that we wanted to know how to get SMV payload part without using wireshark... And then decode it. For now we are able to capture traffic using lib pcap and filter goose and SMV ether type And i wanted to know the traffic we get is from one merging unit and is it safe to plot it directly. Or different merging unit mixed together. We know it follows publisher subscriber model. Also is the payload part required to be decoded and how. If not taken from wireshark.
Engineering Manager
3 年Hi Mauricio The Sampled value from supported IEC 61850 Edition 2.1 devices are carry their GrandMaster ID (Synchronised Clock ID) in the sampled value message. We can see the Grandmaster ID in the RAW data on Wireshark but I believe Wireshark still doesn't support this info to properly to decode and display. Is there any plugin or workaround available for wireshark to decade as part of Sampled values message from supported IEC 61850 Edition 2.1 devices.
Technical Director at TEKVEL | IEC 61850 Expert | Digital Substations
4 年Cool. I am thinking about parsing pcap file with scapy lib.
Electrical Engineer
4 年Nice article, thanks !