GooseStalker

Purpose

GooseStalker is a project to analyze and interact with Ethernet types associated with IEC 61850. Currently, the project is based on the Goose network packet parsing from the Keith Gray Power Engineering Goose Repo. These modules and scripts will parse network traffic to understand the IEC 61850 communications and to interact with devices communicating with these protocols.

Modules and Scripts

• Goose
  • goose.py - Scapy layers to analyze packets (see TODO)
  • goose_pdu.py - ASN1 layers to analyze Goose data
• Scripts
  • goose_parser.py - script to display the Scapy layers and parsed Goose data. Outputs text version of Goose layers and data.
• PCAPS
  • GOOSE_wireshark.pcap - Wireshark's PCAP file for testing. This does not contain messages with VLAN layers (see TODO list).
  • ITI IEC61850 Goose PCAPS
• DOCS - Research into IEC61850 that outlines usage and packet format
  • 6921_IEC61850Network_MS_20190712_Web.pdf
  • B5_PS1_117_DE_Jenkins_2017.pdf
  • TR-61850.pdf
  • elsarticle-template.pdf
  • energies-12-02536.pdf
  • sensors-21-01554-v2.pdf
  • IEC61850 - The Digital Power System
  • Utilization of IEC 61850 GOOSE messaging in protection applications in distribution network
  • A Practical Guide of Troubleshooting IEC 61850 GOOSE Communication
  • Relion® Protection and Control IEC 61850 615 series Engineering Guide
  • GE Grid: IEC 61850 Communication Networks and Systems In Substations: An Overview for Users
• LICENSE - maintained the Keith's original MIT license for this work
• Pipfile - required Python modules. Probably contains a few more than necessary to allow for additional development. See requirements below.

Requirements and Installation

• Pipenv - Pipfile should contain all required packages, to include a few nice-to-haves.
  • Scapy - comes with its own set of required packages
  • PyASN1 - Python ASN1 module
  • iPython
  • cryptography - may or may not need this
• Wireshark - you'll want a second source to analyze PCAPs
  • Herb Falk’s Skunkwork Network Analyzer - a bit dated, but helps to analyze Goose / MMS / IEC61850 packets.
  • Tshark - because command line packet analysis is always more fun.
• Admin Privileges - you'll need administrative privileges to capture and resend data on your system's network interface.

TODO

• Convert parser into module for other scripts
• Script to provide packet statistics
• Script to identify endpoints
• Script to identify control packets
• Replay script
• Spoofing script