zbyszek54

WireShark capture of PC <-> Omron NJ via CIP protocol

26 posts in this topic

Hello Everyone,

I am studying the overview of the CIP Message Communications in Omron's "NJ/NX-series CPU Unit Built-in EtehrNEt/IP Port User's Manual"  but not all is clear for me.

Could anyone suport me with the WireShark's capture of the PC <-> Omron NJ  CIP communication session  ? I'd like to see in 'real' world the CIP packets used to read/write of Omron's NJ Global variables.

 

Thanks in advance

Zbyszek


 

Share this post


Link to post
Share on other sites

I've done this before with Wireshark also, and managed to get it done, but I wouldn't encourage you to do it. CIP is not as simple as your common TCP/IP. Putting only IP Address and Port Number won't help because we need to get SessionID each time a connection is opened, which is always different everytime you open a connection.

Regardless, if you have a company e-mail domain, I'll suggest you look for Molex's EIPTools PC software (free software). It's the tool that really helped me to get things done. There you can start with a simple GetAttributeSingle service to get the Identity of NJ or other EtherNet/IP device.

Share this post


Link to post
Share on other sites

Innoaloe,  I've some experience with CIP, because I've written the driver for Rockwell's Logix 5000 (based on Explicit Messaging to access symbolically addressed variables).

Currently I try to estimate costs involved with the driver for Omron NJ via EtherNET/IP.The approach applied by Omron to access variables (decribed in "NJ/NX-series CPU Unit Built-in EtherNet/IP port - User's Manual", chapter 8-3) seems to be very similar to the method applied in Logix 5000, but as usual, some details are not clear for me.

Unfortunately I have no access to the Omron NJ now, so I can't follow your suggestion and use Molex's EIPTools. For this reason Wireshark capture would be very helpful - if you could send me any, I'd be very grateful. 

 

Share this post


Link to post
Share on other sites

Give me a day to prepare. I'll make a single numeric variable Read/Write capture example using UCMM.

Share this post


Link to post
Share on other sites

Here you go : NJ_CaptureCIP.pcapng

in this example, I access a variable named "TVAR" with type of INT, and initial value of 1000.

At the Read Service Request (Svc Code 4C) you should see it returns ACK Service Code CC and the return value Variable type INT (C3) and Value of 1000 in Little Endian format (E803).

At the Write Service (Svc Code 4D) you should see it returns ACK Service Code CD. I'm sending to the Variable type INT (C3) a Value of 255 in Little Endian format (FF00)

Share this post


Link to post
Share on other sites

Thanks a lot Innaloe,

format of CIP Class Generic/Command Specific Data seems to be identical in Logix5000 and Omron NJ  (at least in your capture). 

BTW :

1.  Logix5000 provides service with Svc Code 55H which returns the list of variables in the PLC. Does Omron NJ provide similar service ?

2. is it possible (and reasonable) to increase the data throughput between HMI and Omron NJ using several concurrent connections  (to overcome the limited CIP packet length) ? 

 

Share this post


Link to post
Share on other sites

Your very welcome. Regarding your question :

1.  Logix5000 provides service with Svc Code 55H which returns the list of variables in the PLC. Does Omron NJ provide similar service ?

Unfortunately No :D

2. is it possible (and reasonable) to increase the data throughput between HMI and Omron NJ using several concurrent connections  (to overcome the limited CIP packet length) ? 

In the example I provided, after Reading or Writing I am closing the TCP Socket, thus also closing the ENIP Session. You can thus improve the throughput by keeping the Socket open if you need to continuously read/write data, avoiding to re-Register the Session.
Keep in mind though that every few seconds you need to keep sending a packet to NJ eventhough Read/Write variable is not required, or else after certain timeout the NJ will think that the socket is inactive, Closing the Session automatically.
I would prevent having multiple TCPClient connecting on the NJ (unless you're connecting to 2 different PCs) since it will reduce the overall throughput also

Share this post


Link to post
Share on other sites

Does NJ close inactive socket when Forward_open (CIP CM) is used ? Is this 'inactivity timeout' configured or fixed ?

 

Share this post


Link to post
Share on other sites
Just now, zbyszek54 said:

Does NJ close inactive socket when Forward_open (CIP CM) is used ? Is this 'inactivity timeout' configured or fixed ?

 

For Forward_Open, it will close the socket if certain inactivity has been achieved. I cannot find the exact value in the manual but it seems to be fixed around 2 minutes or so (I think it's the same with default TCP Linger / KeepAlive standard)

For NJ, aside from UCMM / Forward_Open, you can also do Read/Write through Class3 Connection which enables to keep the socket alive unless you close it.
For me, I always avoid to use Class3 though, since defining the Route Path sometimes can be a bit tricky.

Share this post


Link to post
Share on other sites

I'l keep in mind all your suggestions.

Thanks a lot once again, Innoaloe

Share this post


Link to post
Share on other sites

Your very welcome

Share this post


Link to post
Share on other sites

You are awesome, innoaloe!  :clap:

Share this post


Link to post
Share on other sites

More like having too much free time, good Sir  :shifty:

Lucky for me Omron got plenty of toys to play with... hahah...

Edited by innoaloe

Share this post


Link to post
Share on other sites

Omron always kept me in toys.  That's what they were...toys!  :-2

Share this post


Link to post
Share on other sites
22 hours ago, Jay Anthony said:

Omron always kept me in toys.  That's what they were...toys!  :-2

Powerful toys!

Share this post


Link to post
Share on other sites
On 8/2/2017 at 5:09 PM, zbyszek54 said:

BTW :

1.  Logix5000 provides service with Svc Code 55H which returns the list of variables in the PLC. Does Omron NJ provide similar service ?

 

I was wrong when I said this is not possible in Omron NJ. I forgot that a certain Omron software able to return the list of available Tags / Published Variables in the NJ.
So I look onto it and found out that the service indeed exist. Just not stated in the manual

Share this post


Link to post
Share on other sites

Resurrecting an old thread because this topic has recently interested me.

innoaloe, could you point me in a direction of where to find any documentation that states what service # returns the list of available tags?

Thanks for any help you can provide. 

Share this post


Link to post
Share on other sites

Hello @patch91484@hotmail.com,
unfortunately Omron does not provide any documentation whatsoever regarding that service code.

I managed to find it before through experiments. Since the company decided not to make it public, I don't think I can give you the answer here.

However, should you are lucky to get a Sysmac Gateway program in your PC, you can use it's Tag Monitor utility which will return all available tags inside your PLC.
While doing so, if you monitor the packets through Wireshark, you can find the service code there.

Share this post


Link to post
Share on other sites

I was afraid they didn't provide that information. I do have kepware installed (which also offers a service to generate a tag list) and I am looking into some Wireshark packets. Thanks for the reply.

Share this post


Link to post
Share on other sites

Hello Innoaloe,

The wireshark packet you shared it is for Symbolic addressing access (Like you have created  TVAR globle memory area) is there any way to access direct address from PLC for NX/NJ series plc (Example: I want to directly access DM 100 memory location)..?

Thanks,

Bhautik

Share this post


Link to post
Share on other sites

@Bhautik1706

There is. It's the same with FINS protocol used for CP / CJ PLC Series.
See omron manual W342 for details on FINS protocol (it covers all about it).

I would recommend using FINS/UDP which is relatively easier

1 person likes this

Share this post


Link to post
Share on other sites

Hello Innoaloe,

Thanks for quick reply.

I am having packet which i am using for CJ series PLC for Communicating with PLC but the same fins packet is not working for NX/NJ series PLC for CJ series PLC I am using 0x54 code for reading same is not working for NX/NJ series PLC.

Share this post


Link to post
Share on other sites

Are you sure that is FINS Command? Because if you look into manual W342, there is no FINS command using 0x54 byte as the code.

If memory serves, 0x54 is a Forward Open Service Code, for Ethernet/IP protocol communication.
Maybe you were communicating using Ethernet/IP protocol for the CJ-Series PLC?

In any case, you cannot communicate using Ethernet/IP for direct address access. FINS is your option for that.

Share this post


Link to post
Share on other sites

Yes, I am using  Ethernet/IP protocol to communicate . FINS packet  is encapsulated under Ethernet/IP packet just for direct address access.  Other wise it is just a EIP packet. 

 

Memory Address Code

(2 Byte)

Address of Memory

(4 Byte)

Data

(0-448)

The above data is only FINS specific.

So, When I tried the same packet structure which I implemented for CJ2 series, It does not work with NJ , NX series PLC.

 Have you tried Omron  Ethernet/IP over FINS to communicate with NX, NJ series PLC? If yes, Can you please share the wire shark logs? 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now