DHRIO CIP encapsulated DH+ (CIP service 0x0000)?

lantzvillian

Member
Join Date
Oct 2017
Location
Michigan
Posts
6
Hello all,

I have some wireshark captures of what I believe is DH+ traffic over EIP. I have scoured the documentation and I am concerned by what I am seeing, but it is only one sample.

I am getting packets that look like DH+/PCCC, but there is an 8 byte pre-amble before the CMD. The first byte is 0x0000, which makes Wireshark think that this is a generic CIP service and perhaps this is true, but it could also be that the link-ID is 0x00 too! What would happen if it was non-zero? (Sorry I can't test my hypothesis).

I've attached a screenshot.

Can anyone provide input?

WS-PCCC.jpg
 
Is this a capture from your PC to a CLX Ethernet card such as a 1756-EN2T?

When targeting a DHRIO card, you would typically see Class 0xa6 being referenced.
 
I wish it were my PC and setup, but unfortunately, I don't have much more information

.101 IP belongs to the AN-X2-DHRIO (for sure)

Supposedly, there is:

  • a 1768-L43
  • AN-X2-AB-DHRIO
  • a SLC5/04

Another capture I have has Object 0x6a and Service 0x51/0x51 as well going to the AB device
 
Last edited:
Does it truly matter? :p I think something like slide 20 of https://www.slideshare.net/RockwellAutomation/prosoft-technology-migrate-your-legacy

I'm not sure, but I'm assuming a spanning port or hub. However, I've seen wireshark captures from other places where the same 0x0000 service is present; its not just with the DHRIO bridge.

Is AB using UCMM in places undocumented? What is the header before the CMD? Is it documented? Is there some special case where DH+/remote IO is going? Is there a packet level definition that isn't in the form of click GUI in X way?

Sorry for the questions - I know Modbus really well, but derelict EIP is a bit more... fun :)
 
Last edited:
The reason I was asking was to determine whether it was explicit messages reading from a data table or IO messages. The two will have different signatures. If it were captured with a tap or mirrored port, it could indicate it is IO packets as opposed to something targeting the processor, such as a data monitor from RSLinx. You will find a lot of Ethernet/IP is undocumented. The protocol specification is rather generic (which is well documented) and the devices implement specific objects and services (which is less frequently documented)
 
Hello,

It was captured on a hub/tap and identical to slide 20 in the deck. Have you seen this behaviour before? Traffic with little to no CIP header? Especially for SendUnitData.
 
I have not seen capture of RemoteIO over Ethernet/IP, but that is what my suspicion of what it is.

A DH+ packet that is reading from a data table would target a particular class in the DHRIO device. I can't make out the numbers in your screen capture, so I wasn't able to determine if it was a PCCC packet.
 
I've attached a selection of the pcap (6 packets).

RemoteIO may indeed be what it is. Is there a reverse-engineered spec or guestimation somewhere?
 
I can definitely see packet 5 and 6 is a PCCC request and response. Taking a stab in the dark, if the capture was started from the time the system was powered up, you would see a forward open establishing a connection, then packets are sent over that connection, which could explain why there is no class or service being referenced.

Typically the only way to figure out is through reverse engineering.
 
That was my guess as well (not the FO stuff, but something is happening earlier in the conversation such as session ids/messaging routing of sorts). Interestingly enough, that they have timeout values of 1 when encapsulated packets are supposed to have a value of 0 according to the spec as well.

Truthfully told, I can't identify any markers really from a midstream packet other than marching ahead to the PCCC header. Thoughts?
 
Last edited:

Similar Topics

hello, I have a problem with my AN-X2-AB-DHRIO Prosoft module, I can't connect with the module because I lost a microSD card that has firmware and...
Replies
12
Views
344
We have a remove PLC rack that is being used to collect data from older equipment via a 1756-DHRIO module. This module occasionally faults out...
Replies
1
Views
391
I have a 1756-L81e v32 using a DHRIO v7.001 in RIO scanner Driving (7) 1771 ASB Modules @ 115k baud. The Racks RPI are set at 48msecs. This system...
Replies
2
Views
877
Hey guys, We recently picked up a new customer that just finished a controls upgrade with some other systems integrator company. They upgraded to...
Replies
4
Views
1,725
I am trying to send some datas from PLC-5 to control logix plc through 1756-DHRIO. When I go online to PLC-5, Message instruction gives error &...
Replies
15
Views
3,297
Back
Top Bottom