This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Could wireshark be used to control an isolated system by hooking it with a router and sniffing packets and playing them back with traffic generators?

0

I have a really old system (EH-CPU104A, Processor, 2xRS232, SRAM, 4K Flash, 8 I / O Slots ) that controls machinery and the interface is a minitouch display (Mini Touch Monochrome 0680028-0), both are interconnected by a cable that is an RJ45 in the extreme connected to the CPU and an RS232 in the side of the interface touch screen.

My problem is that i have been told that the system is not capable to connect to internet so I am stuck in managing it manually with finger touch and the alternative is to buy new technology that is really expensive, and here is when I thought that maybe wireshark could make the system to gain access to internet by somehow connecting that RJ45 to a middle router and by recording the traffic between the two devices in promiscuous mode, make a table or key-mapping what the input interface produces and recording also the CPU output and then somehow replicate that with the traffic replicators (https://wiki.wireshark.org/Tools ), then I would only have to setup a computer as a server connected to that new network created with the router and theoretically I could now manage the system from internet by just accessing my server remotely and start sending and receiving packets with wireshark.

I don't know anything about wireshark except what it says it does and that is why I think wireshark is a new hope to connect the system to internet, I am starting and before diving into it and going though the whole process of learning wireshark from the beginning I would like to make sure that what I try to achieve is possible so I don't waste people's time and that is why am here asking to the experts if is my idea possible.

Thank you for taking the time of reading it.

regards.

asked 17 Jun '17, 02:26

verzulsan's gravatar image

verzulsan
6113
accept rate: 0%

edited 27 Jun '17, 21:31

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


2 Answers:

0

From reading your description of the situation the following question pop into my mind:

  • You describe a cable with an RJ45 plug and RS232C plug at the other end. These are to connect the PLC to the minitouch panel. To me that screams: serial link (eg. YOST or something similar), so not a network link. Am I correct?

If so Wireshark, won't really help here, since it's no good monitoring serial links. Still it should be possible to hook the minitouch panel up to a terminal and see what stimulus it generates. After that I could imagine something like this be emulated on an Arduino or the likes by a smart hacker.

answered 17 Jun '17, 03:13

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

edited 18 Jun '17, 02:11

Hello Jaap, thanks for answering.

I cannot tell if you are correct or not because I really don't know anything about this machine or the inputs it generates, only what I described that it has an extreme with an RJ45 that made me assume that it would generate traffic that wireshark could scan and figure out later what to do with it.

Any tip about what should I do to find out?

(17 Jun '17, 13:02) verzulsan
1

RJ-45 is used for many applications, not only for Ethernet, and RS232 is quite different from Ethernet in electrical terms.

To tell what kind of signal is transported over the cable, I'd first look at the cable itself - e.g. if it is a flat one, you may be sure it is not an Etherner one. To investigate any further, you'd need to make your own cable anyway, so the next step should be to find out its "pinout" in order to be able to replicate it. And using the replicated cable, on which you can connect measurement devices to individual wires, you'll need to use an oscilloscope to identify the levels, speeds etc. of the signals to be able to reverse-engineer deeper.

Overall your idea seems to be plausible as @Jaap suggests. If the connection is an RS-232 (or RS-422, or some other serial communication), the decision to take would be wherher to use a "serial over IP" approach, allowing you to connect the original minitouch to the machine itself using a pair of serial over IP adaptor boxes, or whether to use a PC application to emulate the minitouch. The PC may be co-located and use direct RS-232 connection, or it may be your notebook using a "remote serial port" over IP (i.e. you'd use a single serial over IP box instead of two).

(17 Jun '17, 13:05) sindy
1

Better drop the images at http://imgur.com and posts links to there.

(18 Jun '17, 01:59) Jaap ♦
1

Placing my comment here as your "answer" will be converted into a comment sooner or later.

As you have a manual for the minitouch panel which clearly says the panel's interface is a serial (RS-232/RS-422) one, forget about the oscilloscope etc., as the direction is clear: if you want to "insert internet" between the machine and the minitouch, serial over IP is your only option.

Now

  • if it is enough for you to carry around the minitouch, it is not a Wireshark question any more, and it becomes a VPN question instead (how to provide access to the production machine over internet yet only for yourself and not for every wanna-be-hacker kiddie around the net).

  • if you would like to replace the minitouch, you can use Wireshark to capture the telnet session between the two Serial over IP boxes and find out how the minitouch communicates with the machine so that you could emulate the behaviour of the minitouch using a PC application (which I'm afraid doesn't exist and you'd have to write one yourself or ask someone to write it for you). And then it becomes a VPN question again.

(18 Jun '17, 02:10) sindy
1

So, looking at this data, definitely RS-232 serial link.

(18 Jun '17, 02:14) Jaap ♦

Thanks for the warning, all pictures are uploaded now to: http://imgur.com

So now we know its a RS-232 DB25 PIN MALE, should I just forget about wireShark? what would be best option of all we have so far?

(18 Jun '17, 11:40) verzulsan
1

So now we know its a RS-232 should I just forget about Wireshark?

See my comment to Jaap's answer. You may use Wireshark but only if you want to replace the minitouch by something else, and you need ready-made serial over IP adaptors or serial over IP software on general-purpose PCs to "translate" the serial communication into something that Wireshark can analyse - namely, a telnet session between the two serial over IP ends. To directly analyse the serial (RS-232, RS-422) communication, you'd need other software than Wireshark.

In any case, getting back to your initial idea, replacing the minitouch by a packet replay software only makes sense if no feedback from the PLC to the minitouch is expected so you can afford to just send pre-recorded commands without checking for previous ones' results.

(18 Jun '17, 11:51) sindy
1

So now we know its a RS-232 DB25 PIN MALE, should I just forget about wireShark?

Yes.

what would be best option of all we have so far?

What, exactly, are you trying to do? You mention 'connect to internet' which you almost certainly don't want to do, at least not directly - unless you want some one else to be controlling your process for you! The security implications should frighten you.

If we know more about what you need to accomplish, we might have more ideas. I see this PLC has a second RS232 port, so that gives options for connecting to maybe a SCADA system which might provide the added functionality you need, or even a serial-to-Ethermet type adapter (say from Black Box, or many other vendors). A block diagram I saw says serial does ModbusRTU and that is very widely supported in the controls community.

A brief look at that platform and there is an Ethernet module, EH-ETH, that could be plugged into the backplane for Ethernet connectivity. The only docs I found for this module seem to indicate it is a custom Ethernet protocol which is unfortunate. A standard protocol would be much easier to integrate upstream.

The key, though, are the requirements. Do you need to capture data and send to a back-end database? Control this process from a central control room? Check on the operational status from another country?

Since this is really an automation/controls question, you might have better luck over at http://www.plcs.net.

(18 Jun '17, 12:00) Bob Jones

thanks a lot Bob Jones for joining, appreciate your help. Thank you too sindy, your answer was hidden so I just saw it, [[ What, exactly, are you trying to do? ]]

My final goal is to store the information in a database. In picture 6 you can see one of the two screens that provides information, the navigation between the two screens is by pressing those arrows in bottom corners and then select the two available screens, I don't have the picture of the other screen (let's call it screen2) but it has 4 outputs. In Screen1 (picture 6) there is only two outputs "ASPIRADOR 1" and "ASPIRADOR 2", the screen shows only the totals but does not log the moment when the counter goes up, you can see the number increase if you are looking at the screen but there are no logs with attached time so....

what I need every time any counter goes up, is to annotate the actual time with the actual amount in each counter and to store it into a data base.

I don't need to control the machine itself, only to retrieve its data. Well.... maybe need to send signals to change between screen 1 and 2 but don't know if it's really necessary to back and forth between the two screens because maybe all this counter data travels in the same array of data and in that case I would not be needing to send any kind of input but only to intercept any bytes that tells me the 6 numbers I need coming from the 6 counters, the program that writes to the data base would only need to know when that array of data has change to add a new registry and the actual time of comparison, don't know if it's going to be that easy.

I see the problem you both mention about security and I see my vague explanations about "connecting to internet", I really don't care how many middle step workarounds until I get to have that data accessible from my home computer, before I found this forum I was considering crazy stuff like my plan B was to point an IP camera focusing the screen, a some automated finger pushing the screen changing between 1 and 2 continuously, and in the other client side where the output of the camera would be an image-to-text soft like abby screen reader to read the numbers and with a macro program paste that to a local database.... but after reading your answers I see I was going completely in the wrong direction so could you please tell me what is best option based the only requirements of retrieving 6 counter numbers (two counters in screen 1 and four counters in screen 2)?

(18 Jun '17, 20:51) verzulsan
1

What is your background and budget? If you understand the PLC protocols and you can invest into the Ethernet module, I'd definitely take the way recommended by @Bob Jones.

If your budget is tight but you have plenty of spare time to spend on it and have some programming skills, then you may continue this home-made way. I'm not a master of PLC sports myself, but one thing you surely must not do is to attempt to send commands from the minitouch and your DIY setup in parallel over the same port on the PLC, as this would be a fast track to hell. So to reverse engineer the communication between the minitouch and the PLC itself, your best bet is to insert two serial over IP adaptors talking TCP (telnet) to each other via a traffic mirroring switch (Mikrotik RB260GS or Netgear GS105Ev2 are low-cost candidates which can deal with the task), and connect your PC to a monitoring port and use Wireshark to see what they talk about. If you can spot the values you are interested in to be sent periodically (which I seriously doubt), you have almost won as it is enough to create an application running on a PC which will connect over packet network to one of the serial over IPs whose receiving input will be connected in parallel to the receiving direction of the minitouch and whose transmitting output will not be connected anywhere. This way, you would wiretap the ongoing transmission and update the value on your web page visualizing it.

If, however, the PLC only provides the values if asked to do so by a keypress on the minitouch, I would recommend to try to connect the minitouch to the other serial port of the PLC first, and if it works there, to try to connect two simultaneously, each one to one of the ports, and use one to ask for the values while using the other for something else. If the PLC can deal with this, you have almost won too because the difference as compared to the previous possibility is that you'll need to send the "show me this variable" requests.

Or exclude the serial over IP stuff and use a PC with two serial ports (USB to 232 adaptors should be enough) to record the RS232 traffic, using only receiving inputs of these ports, one connected in parallel to each direction, but in such case it is not a Wireshark question any more ;-)

(19 Jun '17, 09:44) sindy

Thank you

I have read many times all of your posts specially the last two ones of sindy and Bob Jones and it was a difficult decision because I was enjoying the idea of getting it all done with wireshark but even though I was enjoying learning wireShark, looking into serial over IP, boxes, Ethernet connectivity, etc, it all looks to me way more complicated and expensive and time consuming than the PC with two serial ports to record the RS232 traffic, but as you both said that is not a wireShark question, so I'll try that option to see where and how it ends, I'll try also in the suggested page http://www.plcs.net.

Thanks a million for all the help, really!, you have all saved me lot of time and effort, I have tried to thumbs up all of you but I have not enough points yet so as soon as I have them I'll come back and give them to you (I don't know how to thank you), lot of more information I was expecting to get. I know I said it many times but, Thanks!!

(19 Jun '17, 20:15) verzulsan
1

Well, you may use Wireshark even on a PC with two serial ports. If you run linux on it, you can configure the ser2net daemon for two serial ports, connect a telnet session to each of them over the loopback interface, and capture the TCP traffic on the loopback interface using Wireshark (or capture it there to a file using tcpdump and analyse the file using Wireshark on another machine). Each of the ports would listen to one direction.

I wrote about back-to-back connection originally but apparently the daemon doesn't provide a TCP client mode out of the box so you'd have to code to be able to set a back-2-back connection.

(19 Jun '17, 21:37) sindy

hi, I casually saw your post because I didn't get mail notification this time and only came by to print out some answers, weird because I have been receiving notifications until the 18th, anyways...

This last one looks really interesting, I am going to keep trying first with PC with two serial ports , and if that fails I have all your answers printed out to try more options.

Thank you very much :)

(23 Jun '17, 18:33) verzulsan
showing 5 of 13 show 8 more comments

0

Sorry for the long post, I just wanted to answer Jaap and sindy as accurately as I could.

-

Jaap, I have research as many information about the cable as I could, I hope it is enough to find out whether if its YOST or something similar or if is not a network link, I have also taken 6 pictures (bottom of the post)

I may have mistaken the name of the cable and it could be DB25 PIN MALE, I was hoping someone could confirm its real name. Pictures 1, 2 and 3 (bottom of the post) shows the connector, (in the PILZ handling guide, https://www.artisantg.com/info/ATGfagri.pdf, under section "serial interface", it says its port is for RS-232C, RS-422)

In the cable, PICTURES 3,4,5, there is a text I could not copy completely but its visible part says "...AKA DC7 UTP CATEGORY 2 CABLE P/N 50004 ETL VERIFIED TO TIA/EIA 5684 AND..."

pictures 4 and 5 shows what I think it is an RJ-45 in the CPU module (EH-CPU104A) that is the lowest quality module of the five listed in the EH-150 series (http://www.hitachi-ies.co.jp/english/products/plc/eh_150/product_range.htm), additional information about EH-150 features (http://www.hitachi-ies.co.jp/english/products/plc/eh_150/feature.htm)

There was a text that appeared In bottom-left corner of (picture 6) right after I disconnected the 25 PIN MALE from the PILZ MINITOUCH that said "plc not connected 02 ff" and googling it brought me to this other page (https://www.hmisource.com/otasuke/qa/gp/new_customer_en/easycomsetup.htm) that looks like it could give some hints to someone with knowledge about what kind of signal is transported over the cable. I hope any of this answers the question about the cable type.

-

sindy thank you for the roads suggested, I could have an oscilloscope probably in no less than a week but I am understanding with your explanations that this would be only necessary depending of the type of cable , so I will wait to buy one a few days just in case the new information I just gave helps to find out the cable type

for the second option I have search for "serial over IP" (https://en.wikipedia.org/wiki/Serial_over_LAN) and I think understand it and I find it really interesting solution but I guess this also depends of the type of cable... Or maybe could be done no matter the cable type?.

"PC application to emulate the mini touch" would be great idea, I didn't think that could exist, I haven't find anything about it yet but it is a really interesting idea that I want to google more.

I got a little lost about the explanation of using pair of serial over IP adaptor boxes and the example of using a single serial over IP box instead of two

-

Thanks a lot again Jaap and sindy for all your help,

-

-

PICTURE 1 alt text

PICTURE 2 alt text

PICTURE 3 alt text

PICTURE 4 alt text

PICTURE 5 alt text

PICTURE 6 alt text

answered 18 Jun '17, 00:59

verzulsan's gravatar image

verzulsan
6113
accept rate: 0%

edited 18 Jun '17, 11:31