I have a PLC where I capture data through TCPDUMP command. Now The issue that I have is that when I read the hex valua of the saved data it shows it though this format:
0x0000: 0009 0f09 0021 a874 1d8d d6e7 0800 4548 0x0010: 00b8 d35f 4000 4006 b7f8 ac1b 0034 0101 0x0020: 0150 0016 5e72 eeee fdb5 4ed2 a424 5018 0x0030: 01f5 af4a 0000 7c1a 461d 6d6a 3ad3 7dd6 0x0040: ff5b 798d a40e 8f20 3c9d 0d2f 5545 5a9c 0x0050: 2a86 b416 6287 a816 001f c61d 3c9a 4d2c 0x0060: 960a 7253 6c3c fcda 8541 2494 4adb ee2a 0x0070: 240f 87ea 029a 9710 48e3 1c5b 36f6 3393 0x0080: dd4d f028 920b 9ae2 41aa eddb 416e 1abd 0x0090: 7258 3bf7 2e29 0ee9 9205 d6de ff03 961c 0x00a0: 24e7 b0d1 7a44 5bfc 47c6 8191 4132 b0e1 0x00b0: d0a8 916c 97f4 f549 0e67 42f5 0b9b 5028 0x00c0: 1245 961e b9a1
First I wanted to capture a WriteRequest though matching the HEX dump codes with each other, but that seemed to be really challenging. Does anyone know a way capture only WriteRequest/WriteResponse messages in any wy with TCPDUMP, I seem to be kinda stuck with this.
I am currently making my code in a bash script but I just need the tcpdump command or if someone has any other idea, hit me up! I can't use tshark or wireshark sadly since the PLC doesn't have a package manager.
For the people that want to know why I use this, I need to record the traffic when someone sends a command to my PLC and if my PLC actually responds to it. Then I can see from what IP address it came and what time the command got activated.