4.1.2 General Network Capture ( Ethernet, protocol independent )

 

LIAN 98 is able to record all the data packets on the ethernet, provided the data are available on the LAN interface of the PC running LIAN 98. This means that the PC has to be connected direct to the same network hub as the network client ( master ) without using a switch or router.

If a SCADA software is running under a Windows® Operating System, it is also possible to use LIAN 98 on the same computer simultaneously to monitor the network packets which are coming in and going out from this PC without an additional connection to the network hub or switch.

 

Structure of network frames

 

 

Information about the structure of network frames see
<Network capture : Structure of network frames>

 

Network capture : Configuration

The PC must be connected to the network hub or switch before LIAN 98 will be started, otherwise parametrization of the network in LIAN can not be done.

The network cable should be connected to the same hub as the network client in order to record the transmission packets of all systems in the network.

 

 

With the channel button ( channel 1 ...12 ) on the bottom following settings are possible :

 

Local machine

 

Network adapter

If there are several network adapters in the PC the corresponding adapter for the test must to be selected here.
Network protocol

Here the protocol is not used for network capture.
Host name

The name of the PC declared during the network installation is displayed here. ( No input is possible, it is only a display field. )
IP address

The IP-address allocated to the network adapter is displayed here. It can be set via the network settings in the Windows system control. ( No input is possible, it is only a display field ! )

If no IP address is displayed when opening the register card, the network is not correctly installed in Windows or the connection to the network hub does not exist.
Port number

This port number is not used for network capture.

 

Remote machine

 

Port number

This port number is not used for network capture.

 

Receiving/ Capture

 

( Read- ) Timeout

Recommendation : 100 msec
LIAN 98 waits this time until it will continue processing all network packets received in this time. Also the end of the transmission is detected with the timeout.

 

Network capture : Settings in the SIM list

 

Monitoring ( capture network communication )

 

 

Ethernet ( length- ) type field

0800H ( variable )
This field indicates the next level protocol, e. g. the type 0800H is used for Internet Protocol ( IP ).
If the ethernet type is not selected by the check box any type ( or length ) will be captured.
IP version

4 or 6 ( variable )
The format of the IP header.
version = 4 : IPv4
version = 6 : IPv6
If the IP version is not selected by the check box any version will be captured.
Protocol

6 ( variable )
This field indicates the next level protocol, which is used in the data section of internet datagram.
Transmission Control Protokoll ( TCP ) = 6 User Datagram Protocol ( UDP ) = 17.
If the protocol is not selected by the check box any protocols will be captured.
IP address client

IP address of the client ( Master station ). The network traffic between this client and the server(s) will be recorded. The required stations must be indicated in the server list and the PC must be connected with the client over the same network hub.
If the IP address is not selected by the check box all clients will be captured.
IP address server
( input field )

Use this field to enter the IP addresses of the servers in the server list.
When the server list is empty all server connections will be captured.
Port number server
( input field )

Use this field to enter the port numbers of servers in the server list.
When the server list is empty all port connections will be captured.
Insert server addresses
number of addresses
delete
insert

Each particular server to be captured must be inserted in the server list. LIAN 98 will use this list to prefilter the network traffic. If no server address is inserted all IP addresses will be captured.

In order to insert the addresses please proceed as follows :

Activate "Insert server addresses" ( button "insert" will be displayed ).
Enter the IP address and port number to be inserted in the fields "IP address server" / "Port number server". Take over the addresses in the server list with "insert". When all stations are inserted deactivate "Insert server addresses". ( The button "insert" disappears ).

In order to delete a server out of this list select it and click "delete".

 

Network capture : Pre-filter/ Pre-trigger

 

Network capture : Monitoring filters

 

Monitoring filters reduce capture on particular pre-defined data records. By setting the corresponding filters a carefully directed data preselection can be achieved, which results in a reduction of the data to be analyzed later.

 

 

Filter released

yes / no

With this option monitoring filters already set for one channel can be deactivated temporarily without deleting them.

protocol specific filter mask

Here monitoring can be filtered for telegram specific values in which several OR-linked filter masks can be defined for the channel.

= Only values equal to 'from' are let through.
# Only values not equal to 'from' are let through.
< Only values less than 'from' are let through.
> Only values greater than 'from' are let through.
b 'from' and 'till' define a valid range
add Add the next OR-element.
remove Remove the current OR-element.

 

Network capture : Start trigger

 

With the receipt of a telegram pre-defined as start trigger, recording is started.

 

 

Start trigger released

yes / no

With this option start triggers already set for one channel can be deactivated temporarily without deleting them.

protocol specific
trigger mask

Here you can define telegram specific start triggers for monitoring in which several OR-linked triggers can be defined for the channel.

= Only values equal to 'from' are let through.
# Only values equal to 'from' are let through.
< Only values less than 'from' are let through.
> Only values greater than 'from' are let through.
b 'from' and 'till' define a valid range
add Adds the next OR-element.
remove Removes the current OR-element.

 

Network capture : Stop Trigger

 

Monitoring can also be stopped by telegram-specific filters and/ or "stop on error" after a defined number of following records. The number of the following records is defined in the field "records after stop on error/ stop trigger" in the global parameters of the VFL settings.

 

 

Stop trigger released

yes / no

With this option stop triggers already set for one channel can be deactivated temporarily without deleting them.

protocol specific
trigger mask

Here you can define telegram specific stop triggers for monitoring in which several OR-linked triggers can be defined for the channel.

= Only values equal to 'from' are let through.
# Only values not equal to 'from' are let through.
< Only values less than 'from' are let through.
> Only values greater than 'from' are let through.
b 'from' and 'till' define a valid range
add Adds the next OR-element.
remove Removes the current OR-element.

 

Each alteration in the settings is displayed by an asterisk * in the caption title and will be only effective after saving.

 

Network capture : Message display format

 

The received messages of all channels are entered binary into the archive file. Before displaying on screen, the binary archived data are coverted to an easily readable procedure specific plaintext. In order to optimize the representation it can be chosen between five different plaintext settings. The plaintext format is set separately for each channel.
( see also "FMT file - Display format" )

 

 

The screen shot above shows the network headers ( MAC-, IP-, TCP header ) and the user data of the transmission block. The display format can be set via FMT file - Display format. The output of each header can be suppressed, of course.

In the page view ( see screen shot via the following link : Capture View ) the user data are displayed and the output of the ethernet header is disabled. The direction of the transmission can be recognized. A green status line shows the direction client to server and the yellow one the direction server to client. A status line without any additional data is only a header transmission, which is necessary in order to manage the network transfer.

 

Because the user data of the the general network capture are not known, no plain text display is provided and therefore the different plaintext settings are ineffective.
Plaintext format  
Format 1, 2, 3, 4, 5

Not used and therefore without effect

 

Network capture : Error messages

 

Error checks during receive

 

per network packet

the length of the particular headers.

 

*E: NET PACKET !

The captured length is not equal to the packet length.
*E: MAC HEADER !

The length of the MAC Header is incorrect or the data packet is not be interpretable.
*E: IPv4 HEADER !

The length of the IPv4 header is incorrect.
*E: TCP HEADER !

The length of the TCP header is incorrect.
*E: UDP HEADER !

The length of the UDP header is incorrect.
*E: ICMP HEADER !

The length of the ICMP header is incorrect.
*E: Length !

The frame length is incorrect. Also it could be possible that the length of the MAC, IP or TCP header is wrong.

 

MAYOR GmbH

Wuerzburger Ring 39,  D 91056 Erlangen

Manual LIAN 98

LIAN 98 Protocol Router, Simulator and Analyzer
© Copyright 2001, 2006, 2011 by MAYOR GmbH. All Rights reserved.