Ethereal-users: Re: [Ethereal-users] EtherNet/IP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Rob Brown <brown@xxxxxxxx>
Date: Mon, 20 Sep 2004 11:02:25 -0600 (MDT)
On Mon, 20 Sep 2004 jgt@xxxxxxxxxxxx wrote:


Has anyone used Ethereal to capture EhterNet/IP messages ?
Specifically I need to capture Class 3 CIP messages that are passed between a Logix5000 CPU and an EtherNet/IP compatable device. I whould like to have the PC attached to a hub running Ethereal and capture these messages.
I hesitate to speak up, since my knowledge is so rudimentary. I'm sure others will come along to correct me.
It really depends on your topology and the capabilities of the box you are calling a hub.
Back in the old days (especially when co-ax was the medium), Ethernet networks were similar to a party line. Every node saw every packet. Even when with the change to twisted pair wiring, this was largely true. The box that I learned to call a hub sent every packet it received out on every other wire.
This has been changing over the last 5 or more years with the introduction of boxes which I have learned to call "switches". These boxes learn where things are, and only send packets over the wire where the destination is likely to be found. I think (but I'm not sure) that in this case, the line off each port of a switch becomes an Ethernet segment.
If your "hub" is a 10/100 type device, then it is probably what I call a switch. I think that if you hang your monitor on one port of this device, it probably won't see any traffic between any two other ports.
Currently all I am able to see are Class 1 Output data messages that are transmitted by the field device. 

(This makes me think that I don't understand the question.)
How is it possible to see TCP messages between 2 devices if neither device is the computer which is running Ethereal?
Try to arrange to have your two devices and your monitor on the same Ethernet segment. Make sure your hub is one which distributes all traffic on all ports, and make sure that there are no other devices between your monitor and the devices you are monitoring. 

Good luck.


--

Rob Brown                        brown@xxxxxxxx
G. Michaels Consulting Ltd.      (866)438-2101 (voice) toll free!
Edmonton                         (780)438-9343 (voice)
                                 (780)437-3367 (FAX)
                                 http://gmcl.com/people/brown.txt