0

I have a PLC where I capture data through TCPDUMP command. Now The issue that I have is that when I read the hex valua of the saved data it shows it though this format:

0x0000: 0009 0f09 0021 a874 1d8d d6e7 0800 4548 0x0010: 00b8 d35f 4000 4006 b7f8 ac1b 0034 0101 0x0020: 0150 0016 5e72 eeee fdb5 4ed2 a424 5018 0x0030: 01f5 af4a 0000 7c1a 461d 6d6a 3ad3 7dd6 0x0040: ff5b 798d a40e 8f20 3c9d 0d2f 5545 5a9c 0x0050: 2a86 b416 6287 a816 001f c61d 3c9a 4d2c 0x0060: 960a 7253 6c3c fcda 8541 2494 4adb ee2a 0x0070: 240f 87ea 029a 9710 48e3 1c5b 36f6 3393 0x0080: dd4d f028 920b 9ae2 41aa eddb 416e 1abd 0x0090: 7258 3bf7 2e29 0ee9 9205 d6de ff03 961c 0x00a0: 24e7 b0d1 7a44 5bfc 47c6 8191 4132 b0e1 0x00b0: d0a8 916c 97f4 f549 0e67 42f5 0b9b 5028 0x00c0: 1245 961e b9a1

First I wanted to capture a WriteRequest though matching the HEX dump codes with each other, but that seemed to be really challenging. Does anyone know a way capture only WriteRequest/WriteResponse messages in any wy with TCPDUMP, I seem to be kinda stuck with this.

I am currently making my code in a bash script but I just need the tcpdump command or if someone has any other idea, hit me up! I can't use tshark or wireshark sadly since the PLC doesn't have a package manager.

For the people that want to know why I use this, I need to record the traffic when someone sends a command to my PLC and if my PLC actually responds to it. Then I can see from what IP address it came and what time the command got activated.

Improve this question
2
  • Uhm. Why not use a library that actually speaks OPC UA? It sounds like an X-Y problem to me...
    – vidarlo
    Nov 16 at 15:32
  • @vidarlo The PLC doesn't have a package manager and also a very limited amount of space. That is the reason I also want to filter specific data instead of the whole data stream. I can install some libraries, but when one library is linking to another library with a dependency I will surely get a lot of problems...
    – BrenDs
    Nov 22 at 14:27

1 Answer 1

Reset to default
1

Transfer the data to a host that has software to parse and interpret the protocol.

When doing packet capture, tcpdump -w and transfer the file. Wirehark or similar might be able to dissect, for interactive analysis or proof of concept. Develop the dissector yourself if it does not exist.

Or, find some software that knows this protocol, and adapt it for your use case. I don't know this protocol at all, but logging and auditing are common requirements. Might be a project to find or write such an application, but surely software for the purpose would be easier than parsing hex dumps in shell.

Improve this answer
1
  • That is an amazing suggestion, but the issue is that the project is limited to only a PLC. I have been able to filter out the request with Wireshark so that is not really the problem. I am trying to do it with tcpdump only and that was my question as well. Using other software and machinery are not in my option list right now. I do still appreciate your answer and will consider this as well when I absolutely cannot do it with tcpdump.
    – BrenDs
    Nov 22 at 14:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .