Wireshark Industrial Networks

[jeffwitda240]

So I was trying to shed some light on intermittent timeouts to a 1769-AENTR from CompactLogix L36ERM (basically timeouts are counting up in RSLINX> module properties>Connection manager). I was attempting to use wireshark (which I am not versed in) I am able to trace and I can see plenty of traffic however I see no traffic between my PLC and and other modules on my network. More specifically I know the PLC is communicating to VFDs over the network but I see no traffic between the PC ip and any VFD IP. Also to add I have no protocol hits on CIPIO. My PLC is communicating with over 40 devices on this network yet wireshark shows no traffic form my PLC to and of these devices. The entire network is all Hubs no manage switches and I have plugged in through multiple switches. I see traffic however mostly is to and from my computer and the HMI and or PLC and from SCADA network and site PLC. Any insite appreciated here thanks

 

[Ken Roach]

You almost certainly have unmanaged Ethernet switches, not actual "hubs".

Plugging in to an arbitrary port on an unmanaged switch is only going to show you multicast and broadcast traffic, as well as traffic to and from your computer.

An EtherNet/IP network built recently will very probably use Unicast I/O addressing, which will rely on any ordinary Layer 2 switch to direct it to and from the proper ports. There won't be multicast traffic, even without a managed switch set up with IGMP Snooping to constrain it.

So take a step back and figure out if you have an Ethernet "tap" or other mechanism to intercept all of the traffic to and from your PLC. Even the lowest-featured managed switches generally support "port mirroring" that would repeat all of the PLC's data out of a port you could plug Wireshark into.

I have a really nice "EtherTap" from Frontline Test Equipment that allows me to put a true passive network tap in between devices, but when I don't have that on hand I like to use a managed switch with port mirroring, and a dedicated USB/Ethernet dongle that I set up without any protocols or services except the Wireshark capture driver.

 

[jeffwitda240]

thanks KEN you are correct I made a bad assumption a hub and an unmanaged switch are the same. thank you for your instite and seasoned direction

You almost certainly have unmanaged Ethernet switches, not actual "hubs".

Plugging in to an arbitrary port on an unmanaged switch is only going to show you multicast and broadcast traffic, as well as traffic to and from your computer.

An EtherNet/IP network built recently will very probably use Unicast I/O addressing, which will rely on any ordinary Layer 2 switch to direct it to and from the proper ports. There won't be multicast traffic, even without a managed switch set up with IGMP Snooping to constrain it.

So take a step back and figure out if you have an Ethernet "tap" or other mechanism to intercept all of the traffic to and from your PLC. Even the lowest-featured managed switches generally support "port mirroring" that would repeat all of the PLC's data out of a port you could plug Wireshark into.

I have a really nice "EtherTap" from Frontline Test Equipment that allows me to put a true passive network tap in between devices, but when I don't have that on hand I like to use a managed switch with port mirroring, and a dedicated USB/Ethernet dongle that I set up without any protocols or services except the Wireshark capture driver.

 

[joseph_e2]

Ken, is this the product you use?
https://fte.com/products/NetworkTap.aspx
I've had to use a lightly managed switch to get port mirroring, but it was pretty pricey. Normally, anything above a fully unmanaged switch is restricted to IT control, but I managed to slip that one in because I promised to never let it connect to the company network.