This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.

Digital Imaging and Communications in Medicine (DICOM)

Wikipedia has a very good high level description about DICOM and the protocol specifications can be found at the DICOM Homepage. This page will focus on wireshark specific topics.

History

DICOM is the third version of a standard developed by American College of Radiology (ACR) and National Electrical Manufacturers Association (NEMA) and was released in 1993. Previous standards did not include network support. For more information about the history, please refer to [1] & [2]

Protocol dependencies

Example traffic

Following screenshot shows a DICOM communication containing a C-ECHO followed by C-STORE request.

dicom_assoc_accept.png

The accepted or rejected presentation contexts are decoded, to quickly identify negotiation issues.

Wireshark

Starting with wireshark 1.1.xx, the DICOM dissector has many new features.

DICOM Export

First make sure to have a valid DICOM capture, including Association Request. Then, select File -> Export -> Objects -> DICOM.

dicom_export.png

Depending on the minimum size defined in the preferences, you will see more or less items in the list.

The Save all dialog is a little tricky, if the 'Browse for other folders' is expanded. Make sure to be in the parent directory and only highlight the target directory, don't open it.

dicom_export_save_all.png

Conformance statement

For the DICOM Export, following UIDs are used. Since the SOP Class UID (0008,0016) and SOP Instance UID (0008,0018) are mandatory elements in the meta header, they are created if needed.

Troubleshooting DICOM

Wireshark is an ideal starting point to troubleshoot DICOM connectivity problems. Most often, the involved DICOM devices run on different operating systems, are from different vendors and sometimes are rather closed devices. In addition, the log files on those devices and cannot show both ends.

Basic connectivity problems can be identified just by using Wireshark captures. If it is more than that, it should at least be possible to tell, at which end to start.

To help quickly identify common scenarios, the DICOM dissector is creating 'Expert Info' marks as shown next.

dicom_expert_info.png

In the Paket Details tree, warnings are highlighted as follows:

Association Request & Response

If one can't get beyond this, it's most likely a DICOM configuration or network setup issue.

Transfer Syntax

Query and Retrieve

Performance

Looking at the timestamps, is by far the best method, to figure out, why a transfer is slow.

Preference Settings

Following settings are available to influence DICOM dissection its data display.

dicom_default_pref.png

Example capture file

XXX - Add a simple example capture file to the SampleCaptures page and link from here (see below). Keep this file short, it's also a good idea to gzip it to make it even smaller, as Wireshark can open gzipped files automatically.

Display Filter

A complete list of DICOM display filter fields can be found in the display filter reference

Capture Filter

You cannot directly filter DICOM protocols while capturing. However, if you know the TCP port used (see above), you can filter on that one.

Discussion