Ask Your Question
0

Help Tracking Delayed Packets

asked 2025-04-04 06:18:29 +0000

DaVizzey gravatar image

updated 2025-04-04 08:31:44 +0000

Hi there!

So we have a machine that communicates through standard Ethernet IP between some components, A PLC, A HMI PC and A Laser.

Now we've had some issues for some time that sometimes pretty un-regularily the packet that would be sent out from the Laser Software (Runnin on the HMI PC) would be late with around 15 seconds. Now we've managed to log with wireshark When it happens but i cannot find a Real pointer to where that would have happened, all i got is a rough time estimate as the log file is from a 20 min log and over 150 000 Packets in there...

Any tips for a complete newbie like me who trying to figure out where these packets get stuck?

Simple text flowchart on how this works, (X) Indicates roughly where communication gets delayed

  • PLC Recieves Data From a Database About Product
  • PLC Sends A String To Laser Software With Marking Information
  • Laser Software Loads up String Parameters and Applies To Laser Program
  • Laser Software Sends Out OK Or NOK (X)
  • PLC Acts Accordingly To Reply From Laser Software
  • If OK Then Proceeds Marking

  • If NOK Or No reply Within 6 Seconds, Feeds Product back Out

    Edit: For a copy of the files, click the sprend link to download them, One is a big log, the other a smaller one, both containing a sample of the issue according to my customer. If the link is out of downloads then let me know!

https://sprend.com/download?C=5d145a4...

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-04-04 06:54:19 +0000

SYN-bit gravatar image

Nice to see you're jumping on the packet analysis bandwagon. It's impossible to do a troubleshooting course in one answer, but I'll try to give some hints on where to start.

  • Make a network diagram of all (IP) systems involved in the communication (you were describing processes, it's another view and possible the (IP) systems follow quite neatly, but still)
  • Now add information to that diagram how they are connected (all switches, routers, firewalls, etc), this could be complex (routing and firewalls involved)or as simple as they are all connected to the same switch and in the same IP subnet.
  • Determine best points for capture.As a start, close to the involved systems would be perfect. Use spanports rather than capturing on a system itself, as there is some processing between the network card and the point at which a capture is made. Even better is to use TAPs, but that involves buying extra hardware, so maybe not the best way to start.
  • From your description, capturing close to the system running the Laser software would be a good choice (is that where you made the 20 min capure with 150k packets?)
  • In the capture, you need to start looking for patterns. Is the communication over UDP or TCP? What does a normal OK look like, what does a NOK look like. Can it be found in text, if so, filtering on tcp contains "NOK" (or another string that matches failed attempts) could work for you (please note that 'contains' is a case sensitive filter)
  • Assuming the traffic is on TCP, do a follow TCP stream on the packet that you identified as a NOK response to see the full exchange of data that led up to the NOK.
  • This also filters the packet list to this specific TCP conversation, so look at the delta times between packets (you might want to add an extra column in the preferences for Delta time displayed). Also look for lines marked in black with red text, those are usually things that did not go well, like packet loss, retransmissions etc.

Good luck with the analysis. If you get stuck, you could share a pcap file and post the link here to get some help analyzing it. Do be aware of privacy concerns as indicated in the blogpost.

edit flag offensive delete link more

Comments

The log was captured on the HMI PC which i thought would be the best Point Of Acess as all Data goes through the PC, as it is the Link between the PLC and the Laser. I am brand new to this stuff as I am a PLC Programming Engineer, Not normally in the IT/Network Buisness so I am not totally sure what i am Looking at although i've spotted 2-3 Instances where i got a Black Row with red texts (Assuming that is an indication for Possible Issues), tried adding a Delta Time Row but Won't appear for some reason, Will try my way forward there. And i would not be opposed to posting a Copy of the file i got, it is on it's own networt that cannot be acessed unless out there physically or through a Encrypted VPN, so it would be safe ...(more)

DaVizzey gravatar imageDaVizzey ( 2025-04-04 07:48:22 +0000 )edit

Welcome to the wonderful world of Packet Analysis :-)

Yes, we don't have files sharing enabled to prevent all kinds of missery. You can use a public file sharing service like dropbox, onedrive, google drive etc and post the link to the upload here...

SYN-bit gravatar imageSYN-bit ( 2025-04-04 08:10:52 +0000 )edit

Gotcha! A download link is in there now! :)

DaVizzey gravatar imageDaVizzey ( 2025-04-04 08:21:36 +0000 )edit

Thanks for the files, great that you used tracewrangler to anonimize them. Unfortunaly I think the clue in this case would be in the TCP payload which is now stripped. If you are OK with it, you can send me the original file personally ([email protected]) so it won't be out in the public. If not, we need to work together on this a bit more... Are you able to identify packets that mark a NOK response? If so, could you tell me the packet number(s)?

SYN-bit gravatar imageSYN-bit ( 2025-04-04 09:22:29 +0000 )edit

So what i know is that it always accepts the String that got sent, it never sent out a NOK, the issue is that sometimes (every bluemoon type of thing) the Reply that is supposed to be sent back is on a long delay, About 15 seconds, before it gets to the PLC, And the PLC goes into a TimeOut Sequence as it didn't get a reply, Normally (99.99% of the time) a reply comes through within 3 seconds, Also the logs contain data that i cannot send out without a NDA Contract being signed, it is a though situation sadly. I've managed to trace When the String got sent from PLC and when a Reply got sent to the PLC using the filter

DaVizzey gravatar imageDaVizzey ( 2025-04-04 10:44:35 +0000 )edit
see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-04-04 06:18:29 +0000

Seen: 23 times

Last updated: 16 hours ago

Related questions

Launching and connecting the sniffer

How Important is it to use a virtual Machine for using Wireshark?

I can't capture anything with the filter (udp port 67) or (udp port 68)

unknown (for me) traffic

FCS/Dup Ack/Retransmit

WireShark with WiFi adapter not working

Using wireshark how do i identify an unknown devices ip/mac.

Proprietary EtherNet/IP dissector using Wireshark github repo

Dissection of CIP Message Router Response

How do I provide a capture to somebody to have them figure out whether my network has been hacked? [closed]