You are not registered yet. Please click here to register!


 
 
plc storereviewsdownloads
This board is for PLC Related Q&A ONLY. Please DON'T use it for advertising, etc.
 
Try our online PLC Simulator- FREE.  Click here now to try it.

---------->>>>>Get FREE PLC Programming Tips

New Here? Please read this important info!!!


Go Back   PLCS.net - Interactive Q & A > PLCS.net - Interactive Q & A > LIVE PLC Questions And Answers

PLC training tools sale

Reply
 
Thread Tools Display Modes
Old October 18th, 2017, 01:43 PM   #1
lantzvillian
Member
United States

lantzvillian is offline
 
Join Date: Oct 2017
Location: Michigan
Posts: 6
DHRIO CIP encapsulated DH+ (CIP service 0x0000)?

Hello all,

I have some wireshark captures of what I believe is DH+ traffic over EIP. I have scoured the documentation and I am concerned by what I am seeing, but it is only one sample.

I am getting packets that look like DH+/PCCC, but there is an 8 byte pre-amble before the CMD. The first byte is 0x0000, which makes Wireshark think that this is a generic CIP service and perhaps this is true, but it could also be that the link-ID is 0x00 too! What would happen if it was non-zero? (Sorry I can't test my hypothesis).

I've attached a screenshot.

Can anyone provide input?
Attached Images
File Type: jpg WS-PCCC.jpg (49.8 KB, 29 views)
  Reply With Quote
Old October 18th, 2017, 02:20 PM   #2
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,697
Is this a capture from your PC to a CLX Ethernet card such as a 1756-EN2T?

When targeting a DHRIO card, you would typically see Class 0xa6 being referenced.
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - Software without the license key hassles
  Reply With Quote
Old October 18th, 2017, 02:58 PM   #3
lantzvillian
Member
United States

lantzvillian is offline
 
Join Date: Oct 2017
Location: Michigan
Posts: 6
I wish it were my PC and setup, but unfortunately, I don't have much more information

.101 IP belongs to the AN-X2-DHRIO (for sure)

Supposedly, there is:
  • a 1768-L43
  • AN-X2-AB-DHRIO
  • a SLC5/04

Another capture I have has Object 0x6a and Service 0x51/0x51 as well going to the AB device

Last edited by lantzvillian; October 18th, 2017 at 03:02 PM.
  Reply With Quote
Old October 18th, 2017, 03:42 PM   #4
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,697
Was the capture done using port mirroring or a tap? Could it be IO traffic from the PLC going to a some remote IO?
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - Software without the license key hassles
  Reply With Quote
Old October 18th, 2017, 04:14 PM   #5
lantzvillian
Member
United States

lantzvillian is offline
 
Join Date: Oct 2017
Location: Michigan
Posts: 6
Does it truly matter? :P I think something like slide 20 of https://www.slideshare.net/RockwellA...te-your-legacy

I'm not sure, but I'm assuming a spanning port or hub. However, I've seen wireshark captures from other places where the same 0x0000 service is present; its not just with the DHRIO bridge.

Is AB using UCMM in places undocumented? What is the header before the CMD? Is it documented? Is there some special case where DH+/remote IO is going? Is there a packet level definition that isn't in the form of click GUI in X way?

Sorry for the questions - I know Modbus really well, but derelict EIP is a bit more... fun

Last edited by lantzvillian; October 18th, 2017 at 04:35 PM.
  Reply With Quote
Old October 18th, 2017, 05:17 PM   #6
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,697
The reason I was asking was to determine whether it was explicit messages reading from a data table or IO messages. The two will have different signatures. If it were captured with a tap or mirrored port, it could indicate it is IO packets as opposed to something targeting the processor, such as a data monitor from RSLinx. You will find a lot of Ethernet/IP is undocumented. The protocol specification is rather generic (which is well documented) and the devices implement specific objects and services (which is less frequently documented)
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - Software without the license key hassles
  Reply With Quote
Old October 18th, 2017, 05:45 PM   #7
lantzvillian
Member
United States

lantzvillian is offline
 
Join Date: Oct 2017
Location: Michigan
Posts: 6
Hello,

It was captured on a hub/tap and identical to slide 20 in the deck. Have you seen this behaviour before? Traffic with little to no CIP header? Especially for SendUnitData.
  Reply With Quote
Old October 18th, 2017, 05:57 PM   #8
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,697
I have not seen capture of RemoteIO over Ethernet/IP, but that is what my suspicion of what it is.

A DH+ packet that is reading from a data table would target a particular class in the DHRIO device. I can't make out the numbers in your screen capture, so I wasn't able to determine if it was a PCCC packet.
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - Software without the license key hassles
  Reply With Quote
Old October 18th, 2017, 06:03 PM   #9
lantzvillian
Member
United States

lantzvillian is offline
 
Join Date: Oct 2017
Location: Michigan
Posts: 6
I've attached a selection of the pcap (6 packets).

RemoteIO may indeed be what it is. Is there a reverse-engineered spec or guestimation somewhere?
Attached Files
File Type: zip marked-remoteio.pcapng.zip (901 Bytes, 1 views)
  Reply With Quote
Old October 18th, 2017, 06:36 PM   #10
Archie
Member
United States

Archie is offline
 
Join Date: May 2002
Location: Orangeburg, SC
Posts: 1,697
I can definitely see packet 5 and 6 is a PCCC request and response. Taking a stab in the dark, if the capture was started from the time the system was powered up, you would see a forward open establishing a connection, then packets are sent over that connection, which could explain why there is no class or service being referenced.

Typically the only way to figure out is through reverse engineering.
__________________
Expectations lead to disappointment. Appreciation leads to satisfaction.

AdvancedHMI - Software without the license key hassles
  Reply With Quote
Old October 18th, 2017, 06:44 PM   #11
lantzvillian
Member
United States

lantzvillian is offline
 
Join Date: Oct 2017
Location: Michigan
Posts: 6
That was my guess as well (not the FO stuff, but something is happening earlier in the conversation such as session ids/messaging routing of sorts). Interestingly enough, that they have timeout values of 1 when encapsulated packets are supposed to have a value of 0 according to the spec as well.

Truthfully told, I can't identify any markers really from a midstream packet other than marching ahead to the PCCC header. Thoughts?

Last edited by lantzvillian; October 18th, 2017 at 07:15 PM.
  Reply With Quote
Reply
Jump to Live PLC Question and Answer Forum

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Thread Thread Starter Forum Replies Last Post
How to identify Transaction ID or Request ID in ControlLogix CIP Commands ? ruz LIVE PLC Questions And Answers 7 December 29th, 2008 09:26 AM
Beckhoff twincat SMTP supplement Pete:-) LIVE PLC Questions And Answers 5 December 12th, 2008 08:29 AM
CIP Read Data Service (programmation) lije LIVE PLC Questions And Answers 1 November 14th, 2007 07:08 AM


All times are GMT -5. The time now is 02:10 PM.


.