RTES Communication - Overview of the DNP3 protocol
This section is to rpovide to our RTES users a basic understanding of the DNP3 protocol:
to facilitate its implementation with RTES used as a master or remote
to interpret the data stream on the protocol analyzer and trouble shoot simple commuinication problems.
This section is not an official DNP3 document and must not be used for any other purpose than stated above.
Message structure
A DNP3 message consists of a byte (octet) stream divided in 3 sections:
- Message Header : 8 bytes + 2 crc bytes
- Transport Header : 1 byte
- Application Header : 2 bytes (if from Primary) / 4 bytes (if from Remote)
- Objects : When applicable. Up to the maximum number of bytes allowed
Transport Header, Application Header and Objects are divided into 16 -byte segments, each segment is followed by a 2-byte crc calculated on the preceding 16 bytes.
Message Header
|
Byte |
Name |
Description |
| 1 |
Start 1 |
Sync character: 0x05 |
| 2 |
Start 2 |
Sync character : 0x64 |
| 3 |
Size |
Number of bytes to follow - excluding the crc's |
| 4 |
Control Byte |
Bit 7 : DIR - Direction
Bit 6 : PRM - Primary
- Always set to 1, except for Data Link Function Codes ACK, NACK and LINK STATUS REPLY.
Bit 5 : FCB - Frame control bit
- Master station alternates 1/0 at each message to the same remote.
- Remote expects consecutive messages from same master to have different FCB's.
- When a master sends a 'Reset Link' to a remote, the next message has FCB=1.
- A remote always sets this bit to 0.
Bit 4 : FCV - Frame control valid
- Set by Master to 1 if FCB is valid
- A remote sets this bit to 1 if its receive buffer is full
Bit 3-0 : FC - Link Function Code
- The interpretation of these 4 bits depends on the status of PRM and FCV
- List of valid Control Bytes from a master:
- 0x80 / 0x90 ACK
- 0x81 NACK
- 0x8B / 0x9B Link Status Reply
- 0xC0 / 0xE0 Link Reset
- 0xC1 / 0xE1 Reset User Process
- 0xD2 / 0xF2 Test Link
- 0xD3 / 0xF3 Confirmed Data
- 0xC4 / 0xE4 Unconfirmed Data
- 0xC9 / 0xE9 Link Status Request
- List of valid Control Bytes from a remote:
- 0x00 / 0x10 ACK
- 0x01 NACK
- 0x0B / 0x1B Link Status Reply
- 0x40 / 0x60 Link Reset
- 0x41 / 0x61 Reset User Process
- 0x52 / 0x62 Test Link
- 0x53 / 0x73 Confirmed Data
- 0x44 / 0x64 Unconfirmed Data
- 0x49 / 0x69 Link Status Request
|
| 5-6 |
Destination |
Two-byte address of the destination LSB-MSB |
| 7-8 |
Source |
Two-byte address of the originator LSB-MSB |
| 9-10 |
CRC |
16-bit cyclic redundancy check LSB-MSB |
Transport Header (TH)
Bit 7 - FIN - This bit is set ehen the frame is the last one of a complete message
Bit 6 - FIR - This bit is set when the frame is the first one of a new message
Bit 5-0 - Sequence - This 6 bit number is incremented at every frame. It may start at any number and rolls over at 63.
Application Header
AC - Application control byte.
- Bit 7 - FIR - Set to 1 in the fragment of a complete application message
- Bit 6 - FIN - Set to 1 in the last fragment of a complete application message
- Bit 5 - CON - Set to 1 if sender expects a confirmation for this fragment
- Bit 4-0 - SEQ - Fragment number within the message.
- Fragment numbers 0-15 are used by a master station and the responding remote.
- Fragment numbers 16-31 are used by a remote when sending an unsolicited response
FC - Function code.
The following function codes are supported by the RTES DNP3 driver
- 0x00 Confirm
- 0x01 Read
- 0x02 Write
- 0x03 Select
- 0x04 Operate
- 0x05 Direct operate
- 0x06 Direct operate no ACK
- 0x14 Enable unsolicited responses
- 0x15 Disable unsolicited responses
- 0x81 Response
- 0x82 Unsolicited response
Messages originating from a remote include a 2-byte IIN (Internal Indicators)
IIN - LSB
- Bit 7 : Device restart
- Bit 6 : Device trouble
- Bit 5 : Output in "local"
- Bit 4 : Time Sync. required
- Bit 3 : Class 3 data available
- Bit 2 : Class 2 data available
- Bit 1 : Class 1 data available
- Bit 0 : All Stations
IIN - MSB
- Bit 7 : Reserved
- Bit 6 : Reserved
- Bit 5 : Corrupt configuration
- Bit 4 : Operation in progress
- Bit 3 : Buffer full
- Bit 2 : Parameter not valid
- Bit 1 : Object unknown
- Bit 0 : Function code not implemented
Objects
Each object definition consists of an object header, address/range and optional data.
The object header consists of
- Object group (1 byte)
- Variation (1 byte)
- Qualifier (1 byte)
- Range (length depends on the preceding Qualifier)
The [group, variation] define the variables being exchanged. RTES supports the following variables
- 01,01 ;BINARY INPUT BIT STRING
- 01,02 ;BINARY INPUT WITH STATUS
- 02,01 ;BINARY INPUT CHANGE WITHOUT TIME
- 02,02 ;BINARY INPUT CHANGE WITH TIME
- 02,03 ;BINARY INPUT CHANGE WITH REL. TIME
- 10,01 ;BINARY OUT BIT STRING
- 10,02 ;BINARY OUTPUT WITH STATUS
- 12,01 ;BINARY OUTPUT CONTROL BLOCK
- 12,02 ;BINARY OUTPUT CONTROL BLOCK
- 12,03 ;BINARY OUTPUT CONTROL BLOCK
- 20,02 ;16 BIT COUNTER WITH FLAG
- 20,04 ;16 BIT DELTA COUNTER
- 20,06 ;16 BIT COUNTER NO FLAG
- 20,08 ;16 BIT DELTA COUNTER NO FLAG
- 21,02 ;16 BIT FROZEN COUNTER
- 21,04 ;16 BIT FROZEN DELTA COUNTER
- 21,06 ;16 BIT FROZEN COUNTER WITH TIME
- 21,08 ;16 BIT FROZEN DELTA COUNTER WITH TIME
- 21,10 ;16 BIT FROZEN COUNTER NO FLAG
- 21,12 ;16 BIT FROZEN DELTA COUNTER NO FLAG
- 22,02 ;16 BIT COUNTER CHANGE NO TIME
- 22,04 ;16 BIT DELTA COUNTER CHANGE NO TIME
- 22,06 ;16 BIT COUNTER CHANGE WITH TIME
- 22,08 ;16 BIT DELTA COUNTER CHANGE WITH TIME
- 23,02 ;16 BIT FROZEN COUNTER EVENT NO TIME
- 23,04 ;16 BIT FROZEN DELTA COUNTER EVENT NO TIME
- 23,06 ;16 BIT FROZEN COUNTER EVENT WITH TIME
- 23,08 ;16 BIT FROZEN DELTA COUNTER EVENT WITH TIME
- 30,02 ;16 BIT ANALOG INPUT WITH A FLAG BYTE
- 30,04 ;16 BIT ANALOG INPUT
- 31,02 ;16 BIT FROZEN ANALOG INPUT W FLAG
- 31,04 ;16 BIT FROZEN ANALOG INPUT W TIME
- 31,06 ;16 BIT FROZEN ANALOG INPUT
- 32,02 ;16 BIT ANALOG CHANGE EVENT NO TIME
- 32,04 ;16 BIT ANALOG CHANGE EVENT WITH TIME
- 33,02 ;16 BIT FROZEN ANALOG EVENT NO TIME
- 33,04 ;16 BIT FROZEN ANALOG EVENT WITH TIME
- 80,01 ;IIN (16 bits)
The Qualifier defines how the range of the variable(s) is specified.
Qualifiers supported by RTES - DNP3 are:
- 0 - Range field contains 1-byte start and 1-byte stop indices
- 1 - Range field contains 2-byte start and 2-byte stop indices
- 2 - Range field contains 4-byte start and 4-byte stop indices
- 3 - Range field contains 1-byte start and 1-byte stop virtual addresses
- 4 - Range field contains 2-byte start and 2-byte stop virtual addresses
- 5 - Range field contains 4-byte start and 4-byte stop virtual addresses
- 6 - No range field. Implies all objects
- 7 - Range is 1-byte quantity - assumes first index is 0
- 8 - Range is 2-byte quantity - assumes first index is 0
- 9 - Range is 4-byte quantity - assumes first index is 0
- 0x17 - Range is a 1-byte quantity. Each object is prefixed with a 1-byte index
- 0x27 - Range is a 2-byte quantity. Each object is prefixed with a 2-byte index