MMS (Manufacturing Message Specification) is the client/server protocol used by IEC 61850 for SCADA communication, reporting, control commands, and engineering access. It runs over TCP port 102.
When an IED stops reporting to SCADA, when a control command fails, or when an MMS association does not establish — Wireshark is the first tool you reach for.
But decoding IEC 61850 MMS in Wireshark is not as simple as capturing on port 502 for Modbus. MMS sits on top of several protocol layers (TCP → TPKT → COTP → Session → Presentation → MMS). If Wireshark misses the initial association request, it cannot decode the presentation layer — and you see “Dissector is not available” instead of readable MMS data.
This guide covers everything: how to capture MMS traffic correctly, how to fix the dissector problem, the most useful display filters, how to decode common MMS operations (read, write, report, control), and how to troubleshoot real IEC 61850 communication problems using Wireshark.
In This Guide
1. IEC 61850 MMS Protocol Stack in Wireshark
MMS does not sit directly on TCP. It uses the full OSI stack:
| Layer | Protocol | What Wireshark Shows |
|---|---|---|
| 7 — Application | MMS | MMS PDU: Read, Write, InformationReport, etc. |
| 6 — Presentation | ISO 8823 (PRES) | Presentation context, ASN.1 encoding |
| 5 — Session | ISO 8327 (SES) | Session connection, data transfer |
| 4 — Transport | COTP (ISO 8073) | Connection-oriented transport over TCP |
| 4 — Transport | TPKT (RFC 1006) | Maps COTP onto TCP — adds a 4-byte header |
| 4 — Transport | TCP | Port 102 |
| 3 — Network | IP | IP addresses |
| 2 — Data Link | Ethernet | MAC addresses |
This layered stack is why MMS decoding can fail — Wireshark must see the full association setup (Presentation layer negotiation) to decode subsequent MMS messages.
2. How to Capture MMS Traffic
Capture Filter (Before Capture Starts)
Use this to capture only MMS traffic and reduce file size:
tcp port 102Start Wireshark Before the IED Connects
This is critical. Wireshark must capture the MMS Initiate-Request and Initiate-Response (the association setup). If you start Wireshark after the MMS connection is already established, the presentation context is unknown and MMS decoding fails.
Best practice: Start Wireshark first, then start (or restart) the SCADA client or IED communication.
If you cannot restart communication, see Section 3 for the manual fix.
Where to Capture
| Location | How |
|---|---|
| On the SCADA server | Run Wireshark on the SCADA PC itself |
| On a network switch | Configure port mirroring (SPAN) and connect a laptop to the mirror port |
| On the IED (if supported) | Some IEDs have built-in packet capture — export as .pcap |
| On a network TAP | Insert a passive TAP between the switch and the IED |
3. Fixing “Dissector Is Not Available” for MMS
The Problem
You see TCP traffic on port 102, but the MMS payload shows “Dissector is not available” or decodes only as raw ASN.1 data without MMS field names.
Why It Happens
Wireshark decodes MMS based on the Presentation Context negotiated during the MMS association (Initiate-Request). If Wireshark missed the association (because capture started after the connection was already up), it does not know which presentation context maps to MMS.
The Fix: Manual Presentation Context Configuration
- Go to Edit → Preferences → Protocols → PRES
- Click Users Context List
- Add a new entry:
| Field | Value |
|---|---|
| Context Id | 3 |
| Syntax Name OID | 1.0.9506.2.1 |
- Click OK and apply.
This tells Wireshark: “Presentation Context 3 uses the MMS syntax.” Now all MMS messages will decode correctly, even without the initial association.
💡 Tip: The Context Id may differ per implementation. If context 3 does not work, open a packet, expand the ISO 8823 PRES layer, and check the “Context-list” field in the association to find the correct context ID and OID.
Alternative Fix: Decode As
- Right-click on a packet that shows undecoded data on port 102
- Select Decode As…
- Set: Field = TCP Port, Value = 102, Current = TPKT
- Click OK
This forces Wireshark to decode the TCP payload as TPKT → COTP → Session → Presentation → MMS.
4. Essential Display Filters for MMS
All filter field names below use the _element suffix verified against the official Wireshark MMS Display Filter Reference. The _element filters match the presence of a specific PDU or service in a packet.
PDU Type Filters
| Filter | What It Shows |
|---|---|
mms | All MMS traffic |
tcp.port == 102 | All traffic on MMS port |
mms.confirmed_RequestPDU_element | Confirmed requests (client → server) |
mms.confirmed_ResponsePDU_element | Confirmed responses (server → client) |
mms.confirmed_ErrorPDU_element | Error responses (server rejects a request) |
mms.initiate_RequestPDU_element | Association setup request |
mms.initiate_ResponsePDU_element | Association setup response |
mms.initiate_ErrorPDU_element | Association rejected |
mms.conclude_RequestPDU_element | Association close request |
mms.conclude_ResponsePDU_element | Association close response |
Service Filters
| Filter | What It Shows |
|---|---|
mms.informationReport_element | Information reports (IEC 61850 reports) |
mms.read_Request | MMS read requests (Wireshark 3.6+) |
mms.read_Response | MMS read responses (Wireshark 3.6+) |
mms.write_Request | MMS write requests (Wireshark 3.6+) |
mms.write_Response | MMS write responses (Wireshark 3.6+) |
mms.getNameList_element | GetNameList (directory browse) |
mms.getVariableAccessAttributes_element | GetVariableAccessAttributes (data model discovery) |
mms.getNamedVariableListAttributes_element | GetNamedVariableListAttributes (read dataset definition) |
mms.Data | MMS data values in requests and responses |
Data Reference Filters
| Filter | What It Shows |
|---|---|
mms.domainId | Logical Device name |
mms.invokeID | Invoke ID — match request to response |
Combination Examples
Reports from a specific IED:
mms.informationReport_element && ip.src == 192.168.1.100Error responses to a specific IED:
mms.confirmed_ErrorPDU_element && ip.dst == 192.168.1.100Only association setup packets:
mms.initiate_RequestPDU_element || mms.initiate_ResponsePDU_elementSlow MMS responses (> 2 second gap):
mms && frame.time_delta > 2💡 Tip: Click on any field in Wireshark’s packet detail pane — the status bar at the bottom shows the exact filter field name. Use Analyze → Display Filter Expression and search “mms” to browse all available fields.
5. Decoding an MMS Association (Connection Setup)
The MMS association is the first exchange after the TCP handshake. It establishes the application-level connection between the MMS client (SCADA) and the MMS server (IED).
What You See in Wireshark
| Packet | Direction | Protocol | Info |
|---|---|---|---|
| 1 | Client → Server | TCP | SYN |
| 2 | Server → Client | TCP | SYN-ACK |
| 3 | Client → Server | TCP | ACK |
| 4 | Client → Server | MMS | Initiate-Request |
| 5 | Server → Client | MMS | Initiate-Response |
What to Check in the Initiate-Request
Expand the MMS layer to see:
- Proposed Max Serv Outstanding Calling — how many simultaneous requests the client can send
- Proposed Max Serv Outstanding Called — how many the server can handle
- Proposed Max PDU Size — maximum MMS message size
- Service Supported Calling — which MMS services the client supports (read, write, report, control, etc.)
What to Check in the Initiate-Response
- Negotiated values — the server may reduce the proposed values
- If the server rejects the association, you will see an Initiate-ErrorPDU instead of a response
6. Decoding MMS Read Requests and Responses
MMS Read is used by SCADA to poll data from IEDs. In IEC 61850 terms, this is a GetDataValues service.
Read Request
Filter: mms.read_Request
- Example:
IED1PROT/MMXU1$MX$TotW$mag$f= read total active power from MMXU1
Read Response
Filter: mms.read_Response
- listOfAccessResult → contains the returned data values
- Each value shows the data type (boolean, integer, float, etc.) and the actual value
What to Look For
- If the response contains a data-access-error, the requested object does not exist on the IED. Check the object reference against the IED’s SCL file.
- If the response is empty or missing, the IED may have rejected the request. Check for
mms.confirmed_ErrorPDU_element.
7. Decoding MMS Write Requests
MMS Write is used for SetDataValues — writing setpoints and configuration parameters.
Filter: mms.write_Request
The packet shows:
- The target object reference (e.g.,
IED1PROT/PTOC1$SP$StrVal$setMag$f) - The value being written
- The data type
The response contains either success or a data-access-error with the failure reason.
8. Decoding MMS Reports (BRCB and URCB)
Reports are the primary way IEDs send data to SCADA in IEC 61850. They are unconfirmed MMS messages (InformationReport).
Filter: mms.informationReport_element
What You See
Each report packet contains:
- RptID — Report ID identifying which report control block sent it
- OptFlds — which optional fields are included (sequence number, timestamp, reason, dataset reference, etc.)
- SqNum — sequence number (increments with each report)
- TimeOfEntry — when the report was generated
- DataSet — reference to the dataset being reported
- Inclusion bit string — which data objects in the dataset have changed
- Data values — the actual changed values
What to Look For
- Missing reports: Compare SqNum values. If numbers are skipped, reports were lost.
- No reports at all: The report control block may not be enabled. Check if SCADA sent a write to enable the RCB.
- Stale data: Check TimeOfEntry. If timestamps are old, the IED may not be generating events.
9. Decoding MMS Control Commands (SBO, Direct, Enhanced)
Control commands (open/close breaker, raise/lower tap changer) appear as MMS Write requests targeting control objects.
Direct Control
One write request to the Oper (operate) data attribute:
mms.write_Request → IED1PROT/CSWI1$CO$Pos$OperSelect-Before-Operate (SBO)
Two-step sequence:
- Select: MMS Read of
IED1PROT/CSWI1$CO$Pos$SBOw - Operate: MMS Write to
IED1PROT/CSWI1$CO$Pos$Oper
SBO with Enhanced Security (SBOwES)
Three-step sequence:
- Select: Write to SBOw
- Operate: Write to Oper
- CommandTermination: Unconfirmed report confirming execution
Common Control Errors
| Error in Wireshark | IEC 61850 Meaning | Cause |
|---|---|---|
| “object-access-denied” | Access denied | No permission to control this object |
| “object-non-existent” | Wrong object reference | Check the LN and DO name |
| “temporarily-unavailable” | IED not ready | IED in test mode or local mode (Mod ≠ on) |
| “type-inconsistent” | Wrong data type in command | Check the ctlModel matches the command type |
The “Not Selected” error means you sent an Operate without first sending a Select — the IED uses SBO control model but the client tried Direct control.
10. Decoding MMS File Operations
MMS supports file transfer for disturbance recordings (COMTRADE files), logs, and IED configuration.
Filter: mms and then look for file-related services in the packet detail pane (fileOpen, fileRead, fileDirectory).
You will see file names, directory listings, and file data in Wireshark. This is useful for verifying that disturbance recorders are accessible from SCADA.
11. Identifying MMS Errors in Wireshark
Filter: mms.confirmed_ErrorPDU_element
MMS errors contain:
- Error class — vmd-state, application-reference, definition, resource, service, access, etc.
- Error code — specific error within the class
| Error Class | Common Code | Meaning |
|---|---|---|
| access | object-non-existent | Requested object not found on IED |
| access | object-access-denied | No permission |
| access | object-access-unsupported | IED does not support this service for this object |
| service | other | General service failure |
| vmd-state | other | IED in wrong state (e.g., local mode) |
12. The IEC 61850 Dissector Plugin
Wireshark’s built-in MMS dissector decodes the MMS layer but does not understand IEC 61850 semantics. It shows MMS-level operations (Read, Write, InformationReport) but not IEC 61850 concepts (GetDataValues, Reports, Control).
An open-source IEC 61850 dissector plugin adds this context:
- Source: github.com/robidev/iec61850-dissector
- Adds an IEC 61850 layer below MMS in the protocol tree
- Decodes reports, command terminations, and AddCause fields
- Replaces generic MMS Info column with IEC 61850 service names
- Available as .dll (Windows) or .so (Linux)
Installation
- Download the plugin for your Wireshark version from the GitHub releases page
- Copy the file to Wireshark’s plugin folder (Help → About → Folders → Personal Plugins)
- Restart Wireshark
After installation, MMS packets that are IEC 61850 will show an additional “IEC 61850” protocol layer with decoded fields.
13. Useful Wireshark Columns for MMS Analysis
Add these custom columns for faster analysis:
| Column Title | Field Name | Purpose |
|---|---|---|
| MMS PDU Type | mms.confirmed_RequestPDU_element or mms.confirmed_ResponsePDU_element | Shows request vs response |
| Domain ID | mms.domainId | Shows the Logical Device name |
| Source IP | ip.src | IED or SCADA address |
| Dest IP | ip.dst | Target address |
| Delta Time | frame.time_delta_displayed | Time between displayed packets — spot slow responses |
| TCP Stream | tcp.stream | Group packets by connection |
To add: Right-click on a column header → Column Preferences → Add new column → set the field name.
14. Common MMS Problems You Can Diagnose with Wireshark
| Problem | What You See in Wireshark | Solution |
|---|---|---|
| MMS association fails | Initiate-Request sent but no Initiate-Response (or TCP RST) | Check port 102 is open on IED. Verify IP and subnet. |
| “Dissector not available” | Traffic on port 102 but MMS not decoded | Configure PRES context manually (see Section 3) |
| SCADA shows no data | No MMS InformationReport packets from IED | RCB not enabled. Check for write to RCB enable attribute. |
| Reports stop after a while | Reports present initially, then SqNum jumps or stops | Buffer overflow on IED. Check BufferTime and EntryID. |
| Control command rejected | serviceError with “Not Selected” or “access-denied” | Wrong ctlModel (SBO vs Direct). Check IED mode (Mod). |
| Slow response | Large frame.time_delta between request and response | IED overloaded, network congestion, or too many associations. |
| Connection drops | TCP RST after idle period | IED closes idle connections. Enable keep-alive or reduce idle time. |
| Wrong data values | Read response shows unexpected values | Verify the correct FC (functional constraint) is used in the object reference. |
15. Tips for Efficient MMS Capture in Substations
- Start Wireshark before starting SCADA to capture the full association setup.
- Use capture filters (
tcp port 102) to keep file sizes manageable. - Capture on the SCADA server for the best view of all IED connections.
- Use port mirroring on the station bus switch to capture without disrupting traffic.
- Save captures with date/time in the filename for future reference during commissioning.
- Create a Wireshark profile for IEC 61850 with custom columns, display filters, and coloring rules.
- Keep a reference SCD file open alongside Wireshark to verify object references.
- Compare SqNum across reports to detect lost messages.
- Use Statistics → Conversations to see all MMS connections and their traffic volume.
Summary
Wireshark is the most powerful tool for diagnosing IEC 61850 MMS communication. It shows everything — association setup, data reads, reports, control commands, errors, and file transfers.
The key things to remember:
- MMS runs on TCP port 102 through the full OSI stack (TPKT → COTP → Session → Presentation → MMS)
- Start Wireshark before the MMS connection is established to capture the presentation context
- If MMS does not decode, manually configure the PRES User Context (OID: 1.0.9506.2.1)
- Use
mmsas the main display filter, and refine withmms.informationReport_element,mms.confirmed_ErrorPDU_element, etc. - Install the IEC 61850 dissector plugin for richer decoding of reports, commands, and errors
- Always cross-reference what you see in Wireshark with the SCD file and the IED’s data model