Lab report

ISP0051 Applied Data Communication

Supervisor: Kristjan H. Sillmann

I did capture traffic between PC (192.168.0.49) and Programmable Logic Controller (PLC - 192.168.0.101) in 3 separate lab sessions with Wireshark.
Resulting capture files are here, here and here.

Answers:

1. 1. First Ethernet/IP packet in data exchange is packet number 36, Command: Register Session (0x0065). It's purpose is to register a formal Ethernet/IP session. In response packet I did get Session Handle: 0x0b022400.

      

   2. Ethernet/IP header part specifies the length of encapsulated data:

      

   3. Only 3 different Ethernet/IP commands were used during the data exchange:
      1. Register Session (0x0065)
      2. Send RR Data (0x006f)
      3. Send Unit Data (0x0070)
      

      Register session example. Important field is session handle:

      

      Send RR Data command is used to transfer encapsulated request/reply packets. The encapsulated packet is located in the data portion of the message and is processed by the originator and target. Important field should be Unconnected Data Item.

      

      If connection has been set up then Send Unit data command can be used. The command is for connected TCP messages with no reply generated. Important field should be Connection Identifier.

      

2. 1. As displayed in section 1.1, PC sends register session request with zero session value, PLC answers with first packet that contains real session ID.

   2. CIP service values seen in packets:
      1. Forward Open (0x54)
      2. Forward Close (0x4e)
      3. Unconnected Send (0x52)
      4. Get Attribute All (0x01)
      5. Open Connection (0x4c)
      6. Kick Timer (0x4b)
      7. Get Attribute List (0x03)
      8. Multiple Service Packet (0x0a)
      9. Unknown (0x55)
      

      1. Forward Open packet. Important part is Command Specific Data.

      

      2. Forward Close packet. Important part is Command Specific Data.

      

      3. Unconnected Send packet. Important part should be service inside Message Request.

      

      4. Get Attribute All packet. Important part is Command Specific Data.

      

      5. Open Connection packet. Important part is Command Specific Data.

      

      6. Kick Timer packet. Important part is Command Specific Data.

      

      7. Get Attribute List packet. Important part is Command Specific Data, namely Attribute Count and Attribute List.

      

      8. Multiple Service Packet packet. Important fields are under Command Specific Data: Number of Replies and Offsets.

      

      9. Unknown Service (0x55) packet. Important field is probably Command Specific Data.

      

3. 1. PLC tag value is included in Multiple Service Packet. So we must count all ENIP/CIP packets before 1st Multiple Service Packet. Those packets are 68 total:

      

   2. DO write request:

      

      DO read request:

      

      DO write response:

      

      DO read response:

      

      Value written and readi is 1234, that is 04D2 in HEX. In captured packets bytes are in reverse order, D204.

      Biggest difference between write and read is that in case of writing data is in request, but in case of reading, data is in response packet.

   3. Just one packet is needed for reading values in 10-element array:

      

      For example 12345 in HEX is 3039. That in reverse is 3930 and that is what we see in the array.