IEEE 1815 DNP3.

0 Protocol
Specification defines 3 building blocks in any DNP3 implementation:
 Application layer
 Transport layer
 Link layer
The frame format:

1. Link layer protocol

The data link layer protocol document specifies the DNP3.0 version of the data link layer, link protocol data unit (LPDU), and data link service
and transmission procedures. The data uses a variable frame length format: FT3.

FT3 frame length format:

An FT3 frame is defined as a fixed-length header, followed by optional data blocks, and each data block is accompanied by a 16-bit CRC check
code. The fixed header contains a 2-byte start word (0x0564), a 1-byte length (LEN), a 1-byte link layer control word, a 2-byte destination address,
a 2-byte source address and a 2-byte CRC code.
 Link layer control Destination Source
Start word Length CRC User data
word address address
(2 bytes) (1 byte) (2 bytes) block
(1 byte) (2 bytes) (2 bytes)
The sum of
The communication
control word,
control word contains
destination
the transmission
address, source
direction of the frame, Low Byte Low Byte High Byte
fixed:0x0564 address and user 　
the type of the frame Ahead Ahead Ahead
data,
and the control
(255≥length≥5)
information of the data
Exclude all
flow.
CRC bytes

Remarks:
User data = TH (Transport layer header) (1Byte) + Data block
Data block= Application header + Object title + data
Application message header is divided into request header and response header

 Request header= Application Control (1Byte) + Function Code (1Byte)

 Response header= Application Control (1 Byte) + Function Code (1 Byte) + Internal

Indication (2 Byte)
Object title= Object (2 Byte) + Qualifier (1 Byte) + Range (determined by the qualifier)
Object (1Byte)= Group (1 Byte) + Variation (1 Byte)

1.1 Link layer control word

Function
DIR(direction) PRM(primary) FCB FCV
code
The direction bit The The count bit of The valid flag of the 　
indicates whether originating the frame, 0 and 1 count bit of the
the frame is sent flag indicates alternately change, frame. The FCB bit
from the master whether the the purpose of is valid only when it
station or from frame comes designing this bit is 1.
the slave station. from the is to perform
originating simple error
station or the correction.
responding
station.

1. DIR: Direction bit

 DIR=1; It means that this frame is sent from master to slave (A to B)
 DIR=0; It means that this frame is sent from slave to master (B to A)
2. PRM: Primary flag (PRIMARY)
 PRM=1; Frame from primary (initiating station)
 PRM=0; Frame from secondary (responding station)
Note: The primary station is not exactly the master station, and the outside station can also be the
primary station.

3. FCB: The frame counter bit is used to prevent the same slave station from losing or repeating
the information frame, each time the send and confirm (SEND-CONFIRM) service is
successfully completed (It is started by the same origin after sending service to the same slave
station), the bit will be flipped once.

4. FCV: Frame count valid bit (frame count valid), it can make FCB take effect.

 FCV=0; Ignore frame count bit (FCB)

 FCV=1; Frame count bit (FCB) is valid.
 Function code:

For the original sender's frame: (PRM=1)

Function code Frame type Service function FCV bit

0 Send/ Confirm expected Reset the remote link 0
1 Send/ Confirm expected Reset of user process 0
2 Send/ Confirm expected Link test function 1
3 Send/ Confirm expected User data 1
4 Send/No reply expected Unconfirmed user data 0
Request/ Respond
9 Request link status 0
expected
5-8, 10-15 Unused 　 　

For the frame sent by the slave: (PRM=-0)

Function code Frame type Service function

0 confirm ACK = affirmative confirmation
NACK=The message is not received, the link
1 confirm
is busy
11 response Link status (DFC=0 or DFC=1)
2-10, 12-13 Unused
14 Link service is not working
Link service is not used, or link service is not
15
implemented
2. The transport layer protocol
The pseudo transport layer can disassemble a "transmission service data unit" (TSDU) into
multiple (more than one) TPDUS (or frames) and assemble multiple (more than one) TPDUS into
one TSDU. The work of this process is as follows:

 The pseudo transport layer takes a TSDU (user data) and splits it into a number of sequential
TPDUS (each with "Protocol Control Information" (TPCI)).
 Each TPDU is transmitted to the data link layer as "Link Service Data Unit" (LSDU) for
transmission.
 It will also work in the opposite way. "Pseudo transmission" receives multiple TPDUS from
the data link and assembles them into one TSDU.
LSDUS are all segments of user data, and they are all short enough to fit into the defined FT3
frame format. When an original station sends a message to the slave station, the transmission
function divides the message into multiple LSDUS. These functions add a "Transport Layer
Header" (TH) byte at the beginning of the user data segment, which contains the information
needed for the slave station to rebuild the complete message. All pseudo-transport layer messages
have a TH.
When the slave station receives each LSDU, it checks its TH byte in order to know the correct
sequence and construct a TSDU message for the upper layer.
TH contains information that can identify the first frame, the last frame, and use a six-digit
sequence number to identify a frame. This kind of information is needed to reassemble the
message and also prevents the upper layer from receiving misleading or incomplete messages.

TH USER DATA
Transport layer Header (single byte) User data (1-249 bytes)

2.1 Transport layer header

FIN FIR SEQUENCE
This bit is "1", This bit is "1", Indicates that this data frame is the first frame of
which means the which means the user information, the frame number ranges from 0
last frame first frame to 63, and each start frame can be from 0 to 63

3. Application layer protocol

The application layer protocol defines the format of the application layer message (APDU).
Within the DNP, only the designated master station can send application layer request messages
and the outside stations can only send the responding messages. The master station must
complete a request/response round to an outside station before sending other requests to the
outside stations. While the requested round is in progress, the master station may receive an
unsolicited response. As for outside stations, they must also complete a request/response round
before they can accept any other requests or send unsolicited responses. Unsolicited responses
can only be sent before or after the request/response round, not while in progress. If an outside
station is in the unsolicited round (that is, waiting for confirmation), it can conditionally accept
one from the autonomous station request.
In addition, every response or request can contain one or more individual segments. However,
each segment should be comprehensible (Resolvable), so it is executable (Because the function
code belongs to each segment). For devices with limited message storage capacity,It is
recommended that only a single segmented request message and the expected response should be
sent (It's all segmented sending) more than one segment. This is to ensure that those devices can
handle a request and assemble. However, what's more important is to send a response before
receiving the next request. Otherwise, a multi-segmented message will require a multi-segmented
response, and the message storage required for this response may be greater than the available
capacity of the device.

3.1 Application layer message format

Field Description
Identifies the purpose of the message and consists of
Request/response header (APCI)
APCI (application protocol control information)
Object header (ASDU) Data object
Data (ASDU) The data object of the type specified in the object header

3.2 Application header

The application message can be packaged into several segments, each of which is small enough to
fit the application message buffer. The recommended size for segmented caching is 2048 bytes so
that it can be compatible with the current DNP Device. Each segment has an application header
and appropriate object header. Despite that each segment can be processed as an independent
message, it can be discarded after processing and give the vacated area for the next segment.

3.2.1 Request header

Field Size
Application Control (AC) 1 byte
Function code (FC) 1 byte

3.2.2 Response header

Field Size
Application Control
1 byte
(AC)
Function code (FC) 1 byte
 Internal signal (IIN) 2 bytes

3.2.3 Application Control (AC)

The length of the application control field is an 8-bit byte. It provides the information needed to
construct a multi-segment application message. The message of the application control field is
shown in the figure below:

 FIR: If this bit is set to "1", it means that this message segment is the first segment of the
entire application message.
 FIN: If this bit is set to "1", it means that this message segment is the last segment of the
entire application message.
 CON: If this bit is set to "1", it means that the sender of the application message expects that
the party receiving the segment will confirm the receiver's confirmation in the application
message of the receiving party, and use an application function code ( 0).
 SEQUENCE: Indicates the number of the segment. Segment numbers 0 to 15 are reserved
for the request of the master station and the responses of all external stations (not actively
reported responses). Segment numbers 16 to 31 are reserved for unsolicited reports from
outside stations. Regarding the actively reported response, each successive segment from or
to the same external station must also have an ascending sequence number (this number
overflows from 15 to 0).

 The response of the master station and the slave station application timed out. These time
outs specify how long an application must wait for a response, or how long it must wait for
a CONFIRM response before retransmission or abnormally interrupting the communication
round.

 The retransmission count of the master station and the external station application. The
application may or may not support retransmission at the application layer. The
retransmission count specifies how many times the request can be retransmitted if the
response fails, or how many times the original response can be retransmitted if the
CONFIRM response is not received.

 Before an outside station starts to process the second request, it must completely process
the previous request and respond to it. It cannot handle multiple requests at the same time.
  The sequence numbers of all requests sent by the master station to the outside stations are
from 0 to 15. The sequence numbers of unsolicited responses sent from outside stations are
included within 16 to 31.
Note: An unsolicited response is a message sent by an external station, usually it contains event
data, it will be automatically sent to the master station, the master station does not need to query
the external station for this data.
Note: It is recommended that any changed data reported by the external station requires
confirmation in the response when it is sent.
 Serial number working rules:
The serial number rolls from 15 to 0 or 31 to 16. Each successive request segment sent from the
DNP master station has an ascending sequence number. An exception is the retransmission of
request messages. When a request for a single segment is retransmitted, its sequence number is
not incremented. As for the retransmission of a multi-segment request, the sequence number of
the first segment in the retransmitted request is the sequence number of the last segment of the
request that just failed.

 For a single-segment request, the single-segment response has the same sequence number as
the request.

 For a multi-segment response to a single-segment request, its first segment has the same
sequence number as the request. As for the subsequent segments of the multi-segment
response, the sequence number is increasing

 For a multi-segment response to a multi-segment request, the sequence number of the first
segment is the same as the sequence number of the last segment of the multi-segment request
 Retransmission processing rules

 When a response is not received after the time limit expires, if the system uses application
layer retransmission, the request will still be retransmitted with the same sequence number.

 If the two messages received have the same sequence number, it usually means that the
response of the message has not been received by the opposite station. In this case, the
response is retransmitted (it is not necessary to reprocess this message).

 If the two CONFIRM responses received have the same sequence number, the second
response is ignored.

3.2.4 Conflict between the request of the master station and the unsolicited response

When an unsolicited response occurs from an outside station, there is a possibility that an
unsolicited response is sent from the outside station and the master station is also sending a
request at the same time. When the outside station receives a request from the master station
instead of a response to its unsolicited CONFIRM, it will cause the master to receive an
unsolicited response not an expected response to its request.
The handling of the above and similar situations depends on the type of request sent by the master
station.
The master station will always process the unsolicited response immediately. Even if the master
station is expecting a response to the previously sent request, it will also process the unsolicited
response immediately. If the outside station asks for confirmation (which is a CON bit), the
master station must immediately send a response to the unsolicited CONFIRM.
Usually, the outside station will process the request immediately, even if it is expecting a
response to the previously requested CONFIRM. Except for the request of the system data (such
as binary input data, event count data, etc.), all requests should be handled in this mode. This
mode of operation is called IMMEDIATE_PROCESS mode. Another way is if the outside station
is waiting for the previous unsolicited response of CONFIRM, it will not deal with the read
request of the main station before processing CONFIRM. The purpose of this functional variation
is to prevent the loss or duplication of data events. This mode of operation is called
PROCES_AFTER_CONFIRM mode.
 IMMEDIATE PROCESS
 PROCESS AFTER CONFIRM
When the outside station receives a READ request, and the previous unsolicited response has not
yet been confirmed, the outside stations will not process the READ request until the unsolicited
response is confirmed. If the outside station handles the READ request immediately, there will be
the risk of data loss or data duplication. That is because the data of READ is possibly among in
progress of those unconfirmed unsolicited responses.
 Data recovery after error
The DNP application layer relies on the data link layer for sending, receiving, and error detection
of all messages, and the application layer is not responsible for the recovery of communication
problems. If a failure of a communication round is reported by the data link layer, the application
layer should suspend the communication round of the application layer and report the error to the
user. In addition, the application layer of the master station should indicate the internal signal
values in all external station responses. The user layer is responsible for initiating any kind of
error recovery steps. The user layer should especially use the internal signal (IIN) sent back from
any external station in response.

3.2.5 Function Code (FC)

The function code identifies the purpose of the message. The length of this field is an 8-Bit byte.
There are two sets of function codes; one for request and the other for response.

 1. Transmission function code

Code Features Description

Used to confirm the segmentation of request and response messages.
0 confirm
No response is required for this message.
Please send the specified object to the external site; respond with the
1 read
requested object (available object).
Save the specified object to the outstation; respond with the status of
2 write
the operation.
 2. Control function code

Code Features Description

Select or turn on the output point but do not set or produce any
output function (control, set value, analog output); respond with
3 select
the state of the selected control point. The "Operation" function
code is used to activate these outputs.
Set or generate output actions for the points selected by the
4 operating
"select" function; use the state of the control point as a response.
Direct Select and set or operate the specified output, and respond with
5
operation the state of the control point.
Direct
Select and set or operate the specified output, but do not send a
6 operation, no
response to the requester.
confirmation

 3. Freeze function code

Code Features Description

7 Freeze immediately
Freeze immediately (no
8
confirmation)
Copy the specified object to a frozen cache and respond with the
status of the operation.
Copy the specified object to a frozen buffer without a message as a
response.

 4. Transmission function code

Code Features Description

Copy the specified object to a frozen cache, then clear the object,
9 Freeze and clear
and respond with the status of the operation
Freeze and clear
Copy the specified object to a frozen cache, and then clear the
10 (no
object without a message to respond.
confirmation)
At the specified time and interval, copy the specified object to a
11 Freeze with time
frozen cache, and respond with the state of the frozen operation.
Freeze with time
Copy the specified object to the frozen cache, at the specified time
12 (no
and time interval, without a message to respond
confirmation)

 5. Application control function code

Code Features Description

Realize the required reset sequence; respond with the time object
13 Cold restart
indicating the time until the external station can work.
Realize the required partial reset sequence; respond with the time
14 Hot restart
object indicating the time until the external station can work.
Initialize the
Initialize the specified data to the initial value of power-on;
15 data to the
respond with the state of operation.
default value
16 Initialize the Make the specified application ready to run; respond with the
 application status of the operation.
Start the Start the specified application to run; respond with the status of the
17
application operation.
Stop Stop the specified application; respond with the status of the
18
application operation.

 6. Configuration function code

Code Features Description

Save the specified configuration data into the non-volatile
Save
19 memory and respond with an indicating time object until the
configuration
external station is available.
Allow unsolicited Allow spontaneous reporting to the specified time object;
20
messages respond with the status of the operation.

 7. Transmission function code

Code Features Description

Disable
Disable the spontaneous report of the specified data object;
21 unsolicited
respond with the status of the operation.
messages
Assign the specified data object to a specific class
22 Assignment level
(CLASS).

 8. Time synchronization function code

Code Features Description

Allows the application to calculate the path delay (or
twenty Delay propagation delay) for a specific outstation. The value
three measurement calculated by this function code should be used to adjust the
date and time when setting the outstation time

 9. Reserved function code

Code Features Description

23~120 　 Reserved for future use

121~128 　 Reserved for testing only

 10. Response function code

Code Features Description

The confirmation of message segmentation is used for
0 confirm
both request and response, and the message does not
 request a response.
129 response In response to a requested message.
Unsolicited
128 An unsolicited response that is not prompted by a request.
response

3.2.6 Internal signal (IIN)

Internal signal(IIN)Field is a field with two octets,It follows the function code in all responses.
When a request cannot be processed due to a format error or invalid data requested,IINYou can
always return with proper placement.

Bit order Description

All messages from outside stations have been received; when a request with all
station destinations (FFFFH) is received, it is set; it is cleared after the next
1 byte bit0
response (even if a response to a global request is required); The master station
knows that the station has received the broadcast message.
Level 1 (CLASS) data is valid and available; when the data that has been
configured as level 1 is ready to be sent to the master, it is set; when this bit is
1 byte bit1
set in the response, the master should request this level from the external
station data.
Level 2 data is valid and available; when the data that has been configured as
level 2 is ready to be sent to the master station, it is set; when this bit is set in
1 byte bit2
the response, the master station should request this level of data from the
outside station.
Level 3 data is valid and available; when the data that has been configured as
level 2 is ready to be sent to the master station, it is set; when this bit is set in
1 byte bit3
the response, the master station should request this level of data from the
outside station.
Request the master station to make the time step, the master station writes
"time and date" to the outside station as the time step; when the time is set by
1 byte bit4
the master station, this bit will be cleared. When the master station directly
writes "0" to this bit of the external station signal object, it is also cleared
When some or all of the digital output points of the external station are in the
local state, this bit is set. That is, the control point of the external station cannot
1 byte bit5 be accessed through the DNP protocol. When the external station is in the
remote state, it is cleared, that is, the control output of the external station can
be accessed through the DNP protocol.
The equipment is faulty. It is set when there is an abnormal situation in the
outstation. For a given piece of equipment, there is a brief description of the
1 byte bit6
conditions that affect it. This bit should only be used when the combination of
one or several other IIN bits cannot be used to describe this state.
The device restarts. It is set when the user application is restarted at the
1 byte bit7 external station. When the master station writes "0" directly to this bit of the
internal signal object of the external station, this bit is cleared.
2 bytes bit0 The function code has not been completed.
2 bytes bit1 The requested object is unknown. The outstation does not have the specified
object, or no object is allocated in the specified level. This signal should be
 used to find faults and is usually used to indicate a device description
(PROFILE) or configuration problem mismatch.
In the qualifier (QUALIFIER), the parameter in the variable range or data field
is invalid or out of the variable range. This is a supervisor signal that the
2 bytes bit2
format of the application request is wrong. This signal should be used to find
faults, and usually indicates configuration problems.
The event buffer, or the buffer of other applications has overflowed. For
example, the buffer of COS/SOE has overflowed. The host should try to
2 bytes bit3
recover as much data as possible and point out to the user that data may be lost,
and the user should initiate an appropriate error recovery process.
The request has been understood and the requested operation is already being
2 bytes bit4
performed.
Set to indicate that the current configuration in the external station has crashed
and the application layer of the master station should notify the user of this
abnormality. The master station can download another set of configuration data
2 bytes bit5
to the external station. Note that sometimes a crashed configuration will make
an external station unable to work, making it unable to communicate this
situation to the master station.
It is reserved for use according to the agreement, and it is always set to "0" and
2 bytes bit6
sent back.
It is reserved for use according to the agreement, and it is always set to "0" and
2 bytes bit7
sent back.

3.2.7 Object header

The object header of the message specifies the data object (or I/O) contained in the message or
the number used to respond to the message.

Field name Byte size Description

Specify the object group and the change of the object
following the title. The object segment uniquely
Object 2 bytes
identifies the class (CLASS) and type (TYPE) of the
object, and it gives the structure of the data object
Qualifier
1 byte Defines the meaning of the variable range
(QUALIFIER)
Indicate the amount of objects, indicators of starting and
ending points, or identifiers of the object in question.
Uniquely identify the object of interest. If the qualifier
Range 0~8 bytes
indicates that there is no variable range, the variable
range does not need to exist. The size of this field can be
changed from zero to eight bytes.

According to the object (or I/O). The format of the object header in the request and response is
the same, but the interpretation of the header depends on whether it is a request or a response and
the function code accompanying the header.

 1. Object segment
The object segment specifies an object group and the object variants in the group(VARIATION).
The combination of object group and variant can uniquely specify the object referred to in the
message.
Objects can be assigned to one of the four levels. When the object segment specifies an object
level instead of a specific object type, the object segment indirectly refers to all data objects
assigned to this level rather than any specific object type.
The object segment is two bytes long. First8Bit byte specifies the basic type of data(E.g. analog
input),the second8Bit byte specifies the variant of the data type(E.g16Bit analog input or32Bit
analog input). On the requesting side,If the object variant is specified as zero,This shows that all
object variants belong to the same group(I.e. all or any analog input type). However on the
responder,Variants0Cannot be used to specify objects. The specific variant must be specified.

 2. Determinants

The qualifier section defines the meaning of the variable range section. The variable range is used
to index data or as an identifier. The use and structure of the variable range depends on the scale
of the indicator(INDEX SIZE)Segment and qualifier codes(QUALIFIER CODE)Value in the
segment, When the variable range value and the end variable range value. Together, they define
the range of an object for the data following the object title. Segments for each start range and
stop range(SUB_FIELD)Known as indicators(INDEX).

 Index size (INDEX SZE)

 When the QUALIFIER code is equal to 11, it is in the header of a requested object (INDEX
SIZE)

 Qualifier code ()

 3. Variation

Object. The specific variant must be specified.