Device to tap and record Ethernet/IP connections?

Hello PLCS.net!

I was wondering if there is such a thing available that connects inline with two RJ45 jacks and lets me know what communication is happening?

From what I understand, I don't necessarily want the packet information, but rather the information about the contents of the packet, so the application data.

We are in the AB environment, and would like something to help us log communication between the OPC and the PLC.

Thanks!
-PeeLC.

A SharkTap and Wireshark software:

https://www.amazon.com/midBit-Technologies-LLC-10-100/dp/B00DY77HHK

It is basically a 3 port switch with a mirrored port that let's you see the traffic. Wireshark does a good job at breaking down the packet.

Wireshark might be what you are looking for, it's a free download. It installs on any PC on the network.

I records each item on a network that send a packet, and the type of send with the destination IP if it is to a specific other device. It can be filtered to show only data for specific IP addresses, MAC addresses, type of packet or request, etc.

If the OPC server is running on a PC you can try Wireshark packet analyzer on it.

The hard part will then be to interpret the sequence of bytes since two sources of information have to be used, the first from OVDA about Ethernet/IP and the CIP packets and then from Rockwell Automation about the data contained in those packets..

OVDA documents are not free, you have to be a member and pay a fee to obtain them and as for RA there are a few documents and from my point of view there are incomplete.

a word of caution about sniffer programs.

one of our guys ran a sniffer program to see what was on the network and brought the traffic to a crawl.
everyone came asking me if I had a network loop.
when we got to him, we had him turn off the program and everything was normal.


please be aware of the network when you run the program.

james

James Mcquade said:

a word of caution about sniffer programs.

one of our guys ran a sniffer program to see what was on the network and brought the traffic to a crawl.
everyone came asking me if I had a network loop.
when we got to him, we had him turn off the program and everything was normal.


please be aware of the network when you run the program.

james

Click to expand...

Bizarre, I would have liked to be involved in understanding that one. I don't see how Wireshark would do that, it just captures the packets entering the specified network adapter on the machine running it. It doesn't send anything out onto the network. Maybe the program he was running was more than a packet sniffer?

I could see a misconfigured switch used for mirroring or something like that, but it's hard to see Wireshark by itself causing problems.

I have one of those shark taps and have used it many times with no noticeable network impact. To be useful, they need to have no impact on the network or you wouldn't be able to use it for what it's designed for, troubleshooting.

You can run wireshark on the machine that the OPC server is running on. You can set up filters on IP or port number.

To guarantee you are getting all the data on the wire, you would want to use a port mirroring device like a managed switch or the shark tap, running on a different machine than the one the OPC server is running on.

It is possible that the OPC server can intercept inbound packets prior to wireshark being able to see them. RSLinx does this in certain cases, which was what led me to buy the shark tap in the first place. I had to capture the data on a machine that was not running RSLinx.

I think wireshark is ethernet/IP aware. When I wrote my direct driver for the logix platform I used wireshark to inspect the packets. It knew the names of the various areas of the packet like session id, connection id, etc.

SD_Scott said:

I think wireshark is ethernet/IP aware. When I wrote my direct driver for the logix platform I used wireshark to inspect the packets. It knew the names of the various areas of the packet like session id, connection id, etc.

Click to expand...

Yes it can dissect some of the traffic, especially the header data. Some packet payloads it does not dissect.

Wireshark, an excellent tool.