zbyszek54

WireShark capture of PC <-> Omron NJ via CIP protocol

17 posts in this topic

Hello Everyone,

I am studying the overview of the CIP Message Communications in Omron's "NJ/NX-series CPU Unit Built-in EtehrNEt/IP Port User's Manual"  but not all is clear for me.

Could anyone suport me with the WireShark's capture of the PC <-> Omron NJ  CIP communication session  ? I'd like to see in 'real' world the CIP packets used to read/write of Omron's NJ Global variables.

 

Thanks in advance

Zbyszek


 

Share this post


Link to post
Share on other sites

I've done this before with Wireshark also, and managed to get it done, but I wouldn't encourage you to do it. CIP is not as simple as your common TCP/IP. Putting only IP Address and Port Number won't help because we need to get SessionID each time a connection is opened, which is always different everytime you open a connection.

Regardless, if you have a company e-mail domain, I'll suggest you look for Molex's EIPTools PC software (free software). It's the tool that really helped me to get things done. There you can start with a simple GetAttributeSingle service to get the Identity of NJ or other EtherNet/IP device.

Share this post


Link to post
Share on other sites

Innoaloe,  I've some experience with CIP, because I've written the driver for Rockwell's Logix 5000 (based on Explicit Messaging to access symbolically addressed variables).

Currently I try to estimate costs involved with the driver for Omron NJ via EtherNET/IP.The approach applied by Omron to access variables (decribed in "NJ/NX-series CPU Unit Built-in EtherNet/IP port - User's Manual", chapter 8-3) seems to be very similar to the method applied in Logix 5000, but as usual, some details are not clear for me.

Unfortunately I have no access to the Omron NJ now, so I can't follow your suggestion and use Molex's EIPTools. For this reason Wireshark capture would be very helpful - if you could send me any, I'd be very grateful. 

 

Share this post


Link to post
Share on other sites

Give me a day to prepare. I'll make a single numeric variable Read/Write capture example using UCMM.

Share this post


Link to post
Share on other sites

Here you go : NJ_CaptureCIP.pcapng

in this example, I access a variable named "TVAR" with type of INT, and initial value of 1000.

At the Read Service Request (Svc Code 4C) you should see it returns ACK Service Code CC and the return value Variable type INT (C3) and Value of 1000 in Little Endian format (E803).

At the Write Service (Svc Code 4D) you should see it returns ACK Service Code CD. I'm sending to the Variable type INT (C3) a Value of 255 in Little Endian format (FF00)

Share this post


Link to post
Share on other sites

Thanks a lot Innaloe,

format of CIP Class Generic/Command Specific Data seems to be identical in Logix5000 and Omron NJ  (at least in your capture). 

BTW :

1.  Logix5000 provides service with Svc Code 55H which returns the list of variables in the PLC. Does Omron NJ provide similar service ?

2. is it possible (and reasonable) to increase the data throughput between HMI and Omron NJ using several concurrent connections  (to overcome the limited CIP packet length) ? 

 

Share this post


Link to post
Share on other sites

Your very welcome. Regarding your question :

1.  Logix5000 provides service with Svc Code 55H which returns the list of variables in the PLC. Does Omron NJ provide similar service ?

Unfortunately No :D

2. is it possible (and reasonable) to increase the data throughput between HMI and Omron NJ using several concurrent connections  (to overcome the limited CIP packet length) ? 

In the example I provided, after Reading or Writing I am closing the TCP Socket, thus also closing the ENIP Session. You can thus improve the throughput by keeping the Socket open if you need to continuously read/write data, avoiding to re-Register the Session.
Keep in mind though that every few seconds you need to keep sending a packet to NJ eventhough Read/Write variable is not required, or else after certain timeout the NJ will think that the socket is inactive, Closing the Session automatically.
I would prevent having multiple TCPClient connecting on the NJ (unless you're connecting to 2 different PCs) since it will reduce the overall throughput also

Share this post


Link to post
Share on other sites

Does NJ close inactive socket when Forward_open (CIP CM) is used ? Is this 'inactivity timeout' configured or fixed ?

 

Share this post


Link to post
Share on other sites
Just now, zbyszek54 said:

Does NJ close inactive socket when Forward_open (CIP CM) is used ? Is this 'inactivity timeout' configured or fixed ?

 

For Forward_Open, it will close the socket if certain inactivity has been achieved. I cannot find the exact value in the manual but it seems to be fixed around 2 minutes or so (I think it's the same with default TCP Linger / KeepAlive standard)

For NJ, aside from UCMM / Forward_Open, you can also do Read/Write through Class3 Connection which enables to keep the socket alive unless you close it.
For me, I always avoid to use Class3 though, since defining the Route Path sometimes can be a bit tricky.

Share this post


Link to post
Share on other sites

I'l keep in mind all your suggestions.

Thanks a lot once again, Innoaloe

Share this post


Link to post
Share on other sites

Your very welcome

Share this post


Link to post
Share on other sites

You are awesome, innoaloe!  :clap:

Share this post


Link to post
Share on other sites

Posted (edited)

More like having too much free time, good Sir  :shifty:

Lucky for me Omron got plenty of toys to play with... hahah...

Edited by innoaloe

Share this post


Link to post
Share on other sites

Omron always kept me in toys.  That's what they were...toys!  :-2

Share this post


Link to post
Share on other sites
22 hours ago, Jay Anthony said:

Omron always kept me in toys.  That's what they were...toys!  :-2

Powerful toys!

Share this post


Link to post
Share on other sites
On 8/2/2017 at 5:09 PM, zbyszek54 said:

BTW :

1.  Logix5000 provides service with Svc Code 55H which returns the list of variables in the PLC. Does Omron NJ provide similar service ?

 

I was wrong when I said this is not possible in Omron NJ. I forgot that a certain Omron software able to return the list of available Tags / Published Variables in the NJ.
So I look onto it and found out that the service indeed exist. Just not stated in the manual

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now