PLC Messaging Itself?

krakenfan69

Lifetime Supporting Member
krakenfan69
Join Date
Nov 2011
Location
Alberta
Posts
229
Hey guys. Got a strange one. Was sent to a site where the VNC access is very poor. The IT has assisted and a Wireshark report shows data requested from the MAC address of the L33ER being broadcast out to the switch asking "who has 192.168.1.1" (Not the actual IP address) The IP it is requesting data from is ITSELF! They eventually time out and let the VNC connection happen but it is still pretty poor. The Ethernet radios have a great signal strength. I can find no instance of a message instruction in the code. I don't see any Produce / Consume tags. Any hints as to how to try to find where this request is generated form inside the PLC?
 
I don't think a MSG would send out an ARP request, only things in the I/O tree would. And ARP requests by themselves wouldn't impact the performance, they're just too few and far between. Edit: in my case 44 bytes ever ~30 seconds

My guess, there is something in the tree that is configured to have the same IP address as the PLC. For fun, I added a generic module that has the same IP address as my controller (192.168.1.10). It will send an ARP request asking who has that address.
 
Here you go. It appears the VNC just eventually can get through. Not specifically after the ARP stops.

1713308138759.png
 
Last edited:
This isn't the controller "messaging itself". It's a "Gratuitous ARP" probe, being used by the controller to update the switches it's connected to and to detect duplicate IP addresses on the LAN.

>The Ethernet radios have a great signal strength.

If there's one statement I never trust, it's "there's nothing wrong with the radios".

There are lots of things that can cause poor remote access performance. Wireshark is a great tool, but don't get distracted by a handful of ARP packets.
 
This is also used to detect duplicate IP address. If Wireshark shows ARP “…Tell 0.0.0.0” then this is it.
 
Contr_Conn said:
This is also used to detect duplicate IP address. If Wireshark shows ARP “…Tell 0.0.0.0” then this is it.
Click to expand...
I haven't ever seen a node doing this in the wild. Is this common? If it was I imagine i'd see a lot of those sort of requests in regular ARP traffic but I don't think I have.
 
idiotsecant said:
I haven't ever seen a node doing this in the wild. Is this common? If it was I imagine i'd see a lot of those sort of requests in regular ARP traffic but I don't think I have.
Click to expand...
This is used for 20+ years in Logix and EtherNet/IP. Always been there, all RA modules do that.
 

Similar Topics

Thitiwut-Gelo
Can I use DH+ messaging to read output and to write input of PLC 5
Hello everyone. I have a question about Rockwell PLC communication. Now I have a PLC5/30 and a Guardlogix 1756-L71S rack with 1756-DHRIO In my PLC...
Replies
4
Views
1,426
alan_505
A
R
PLC Messaging Issue
Hello Everyone, I am trying to set up messaging instructions between these two PLC. PLC 1 = 1769L32E Compact Logix 5332E Controller V17 of...
Replies
4
Views
2,095
raamakoti
R
theColonel26
PLC Messaging Toggling Bits for Ack/Handshake Messages?
Does anyone else toggle bits, or increment words as a messaging technique? To start a sequence or process I will hold a bit true (To avoid...
Replies
6
Views
1,712
jstolaruk
J
EICS
Messaging from Controllogix to PLC 5 - issue
I am having trouble messaging from a Control Logix L61 (Version V18) CPU over Ethernet to a PLC5/40E "Series F" (RJ45 on-board) Processor - which...
2
Replies
15
Views
3,369
EICS
EICS
S
Modbus TCP messaging with M340 PLC
Hi Guys, I have a project that requires a M340 PLC to communicate with a PM5340 power meter over Modbus TCP. I have previously used the same type...
Replies
3
Views
3,318
squb
S
Back
Top Bottom