This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Identifying packet payload between PLC and CitectSCADA

0

I have a console computer running CitectSCADA connected to a PLC via a managed switch with wireshark monitoring the network. I need to identify which packets in the stream correspond to actions on the user interface on SCADA (i.e. changing a tag value from 0 to 1 and vice versa), but there are hundreds of packets being captured a second. How do I narrow this down to find what I am looking for? The end goal is to identify the payload of the packets for these actions in SCADA to build a firewall for the system.

asked 22 Oct '15, 08:52

rbaturin's gravatar image

rbaturin
6112
accept rate: 0%


2 Answers:

0

but there are hundreds of packets being captured a second.
How do I narrow this down to find what I am looking for?

This sounds like searching the needle in the haystack. So I suggest to reduce the size of the haystack to solve your problem.

The best way would be: Trigger only one action at a time and monitor that with Wireshark. So you can 'easily' map an action to the content of a network frame. If you can't do that, this is going to become a looooong an tedious reverse engineering task.

Sorry, no easy way from my point of view, except for what I said: Only one action at a time!

Regards
Kurt

answered 22 Oct '15, 09:03

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

0

Most PLC's run a particular protocol, e.g. Modbus, DNP3.0, etc, and these protocols usually run over a single port that is often IANA assigned, although for operational reasons a different port is sometimes used. If the protocol runs over a non-standard port Wireshark won't be able to dissect it unless the protocol has a preference setting for a different port, or supports heuristic detection or you use "Decode As" to specify the correct protocol for the actual port in use.

Are your firewall requirements to simply restrict the traffic to a particular port\ip address, in which case simple inspection of the traffic (and\or knowledge of the protocol being used) should be sufficient, or are you attempting to actually restrict the protocol data elements in use? The latter will be very difficult to do without knowledge of the actual protocol and PLC configuration as not all data elements may be read or written at any particular time and thus appear in the capture. Think about alarm values, or outputs to set process points. Note that some PLC protocols use a "report by exception" mode where data isn't actually "read" (possibly the full data is only read at SCADA master start-up), only changes in the data are reported by the PLC. Some protocols poll for a "block" of data at regular intervals, regardless of what has changed in the PLC.

The configuration in CitectSCADA will be able to tell you which I/O driver (aka protocol) is being used and also the data elements in the PLC that are configured. The PLC configuration will definitely tell you what data elements are in use. What is the make and model of the PLC and what is the protocol in use?

answered 22 Oct '15, 12:23

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%