crustyneon

Scenario: You show up on site and the only knowns are Omron PLC and EtherNet/IP network. You have a laptop loaded with CX-One, an ethernet cable, and the ethernet port that is connected to a known EtherNet/IP Omron network (you can not see the PLC). I have previously worked with Siemens systems and used Primary Setup Tool and Proneta with wonderful results. Do similar tools exist for an Omron environment?  Question: How to (relatively quickly) scan an EtherNet/IP network for connected devices without knowing their ip addresses?  

HMI tends to be Keyence or Weintek but nothing is a guaranteed.  The networks on these systems tend to be pretty small so I came up with a solution that I should have thought of before posting the question. Solution: Use Wireshark to look through exchanged packets on the network and look for ARP Announcement. In the attached photos you can see the packet for the HMI shows the Source as Keyence, and the info contains the IP address. Likewise, the packet for the PLC shows the Source as Omron, and the info contains the IP address. As you can see the IP address of the laptop is in a different subnet. In conclusion, if you don't know who is there, listen to what they are saying.

In this specific case it was a CJ2 EIP CPU, and this is exactly what I did. Power cycle to see ip address, change my laptop ip address to be within the subnet of the PLC, found the PLC ping suspicious ip addresses until I found the HMI. In my opinion this is not a very streamlined/efficient way to map the network and has a major issue.      -You can't find the PLC address in a live production environment because you can't power cycle. My question is how do you figure out the ip address of the PLC/ HMI when nothing other than communication protocol and brand of PLC is given. (other than pinging every possible address using a program like Angry IP Scanner)    

This requires the laptop's ip address to be within the subnet of the PLC, right?  This works in a scenario where you at least know that subnet. My question is how do you figure out this information when nothing other than communication protocol and brand of PLC is given.