A comprehensive bash script for macOS that tests DICOM endpoints for connectivity, security, and protocol compliance.
-
Network Connectivity Testing
- ICMP ping tests
- TCP port connectivity verification
- Connection timeout handling
-
Security Analysis
- TLS/SSL connection testing
- Certificate validation and inspection
- Certificate details extraction (subject, issuer, validity dates)
- Auto-detection of TLS support
-
DICOM Protocol Compliance
- C-ECHO (verification/ping) - mandatory for all DICOM devices
- C-FIND (query) - patient/study/series queries
- C-STORE (storage) - safe mode without actual transfers
- C-MOVE (retrieve) - safe mode without actual transfers
- Association acceptance testing
- AE Title validation
-
Comprehensive Logging
- Timestamped log files in
logs/directory - Color-coded console output
- Detailed error messages and debugging information
- Automatic log file organization
- Timestamped log files in
-
Report Generation
- Summary reports in
reports/directory - Test results and compliance scores
- Timestamped for audit trails
- Summary reports in
The script requires the DICOM Toolkit (dcmtk) which includes essential DICOM utilities:
brew install dcmtkThis installs:
echoscu- C-ECHO clientfindscu- C-FIND clientstorescu- C-STORE clientmovescu- C-MOVE clientdcmdump- DICOM file inspector
bash- Shell interpreteropenssl- TLS/SSL testingnc(netcat) - Network connectivity- Standard Unix utilities (ping, timeout, etc.)
- Clone or download the script:
git clone <repository-url>
cd dicom_query- Make the script executable:
chmod +x dicom_endpoint_analyzer.sh- Install dependencies:
brew install dcmtk./dicom_endpoint_analyzer.sh <host> <port>Example:
./dicom_endpoint_analyzer.sh 192.168.1.100 104./dicom_endpoint_analyzer.sh [OPTIONS] <host> <port>
Options:
-c, --calling-ae <AE> Calling AE Title (default: DICOM_ANALYZER)
-e, --called-ae <AE> Called AE Title (default: ANY-SCP)
-t, --tls <mode> TLS mode: auto|true|false (default: auto)
-h, --help Show help messageTest a PACS server with specific AE titles:
./dicom_endpoint_analyzer.sh -c MY_CLIENT -e PACS_SERVER pacs.hospital.com 11112Force TLS connection:
./dicom_endpoint_analyzer.sh --tls true secure.pacs.com 11112Test with custom AE titles:
./dicom_endpoint_analyzer.sh \
--calling-ae WORKSTATION1 \
--called-ae ORTHANC \
192.168.1.50 4242The script generates two types of output:
Real-time color-coded output showing:
- INFO (blue) - general information
- SUCCESS (green) - successful tests
- WARNING (yellow) - non-critical issues
- ERROR (red) - failures
Located in logs/dicom_analysis_YYYYMMDD_HHMMSS.log:
- Detailed timestamped logs
- Complete command outputs
- Debug information
- Error traces
Located in reports/dicom_report_YYYYMMDD_HHMMSS.txt:
- Executive summary
- Test results overview
- Compliance scores
- Recommendations
- ICMP ping test (may be blocked by firewalls)
- TCP port connectivity
- Basic reachability verification
- TLS handshake testing
- Certificate validation
- Certificate details extraction
- Protocol version detection
- C-ECHO: Tests basic DICOM association
- C-FIND: Tests query capabilities (Patient Root SOP Class)
- C-STORE: Checks storage capability (safe mode, no actual transfer)
- C-MOVE: Checks retrieve capability (safe mode, no actual transfer)
- Compile results
- Generate summary report
- Calculate compliance scores
The script implements several safety measures:
- Read-Only Operations: C-ECHO and C-FIND are safe, read-only operations
- No Data Transfer: C-STORE and C-MOVE tests are skipped by default (safe mode)
- Timeout Protection: All network operations have configurable timeouts
- Input Validation: Validates hosts, ports, and AE titles
- Error Handling: Graceful failure with detailed error messages
- Non-Destructive: Never modifies remote data or configurations
- 104: Standard DICOM port (requires root/sudo)
- 11112: Common alternative DICOM port
- 4242: Orthanc default port
- 8042: Orthanc web interface (HTTP, not DICOM)
sudo ./dicom_endpoint_analyzer.sh <host> 104Install dcmtk:
brew install dcmtk- Verify the Called AE Title matches the remote server configuration
- Check if your IP is whitelisted on the DICOM server
- Confirm the server is accepting connections
- Verify network connectivity
- Check firewall rules
- Ensure the DICOM service is running
Most DICOM servers use plain TCP without TLS. This is normal for:
- Internal hospital networks
- Legacy PACS systems
- Standard DICOM port 104
The script tests compliance with:
- DICOM PS3.7: Message Exchange (DIMSE)
- DICOM PS3.8: Network Communication Support
- C-ECHO: Verification Service Class (required for all devices)
- C-FIND: Query/Retrieve Service Class
- C-STORE: Storage Service Class
- C-MOVE: Query/Retrieve Service Class
- Authorization: Ensure you have permission to test the target endpoint
- Network Policy: Verify compliance with organizational security policies
- Logging: Logs may contain sensitive information (host names, AE titles)
- Safe Mode: C-STORE and C-MOVE tests are disabled by default
- TLS: Modern DICOM servers should use TLS for security
This script is provided as-is for testing and diagnostic purposes.
Contributions are welcome! Please ensure:
- macOS compatibility
- Proper error handling
- Safe, non-destructive operations
- Clear documentation
For issues or questions:
- Check the troubleshooting section
- Review log files for detailed error information
- Verify DICOM server configuration
- Consult DICOM standard documentation
- 1.0.0: Initial release with full connectivity and compliance testing