How to identify Transaction ID or Request ID in ControlLogix CIP Commands ?

ruz

Member
Join Date
Jun 2008
Location
mumbai
Posts
10
Hi,

I have an application that runs SCADA and sends CIP service requests to a ControlLogix5000 Processor. The CIP services ( requests) could be either
1. CIP Read Data Service,
2. CIP Write Data Service,
3. CIP Read Data Fragmented Format Service
4. CIP Write Data Fragmented Format Service
5. Multi-Request Service

These requests are sent every second to the PLC and then the responses returned by the ControlLogix is to be processed and passed on to SCADA again.

Now the problem here is since none of the CIP request packets have any field for Transaction number or the Request Identifier etc, how do I check whether a particular response arrived from the ControlLogix corresponds to which particular CIP request
blink.gif
?


Since there will be multiple ControlLogix connected, there will multiple requests sent to them every second. Without some identifier, it is impossible to distinguish between so many different responses.

I have PLC5 and MicroLogix1100 devices as well in the setup, which you all know support DF1 protocol. The commands that I am building for them have a separate 2-byte field for adding Transaction Number in the request packet ( TNS field in Typed Read, Typed Write, Logical read commands etc). So by extracting transaction number from the response arrived arrived from a PLC5/ML1100, I can identify the request which was sent for getting this response.

I tried to go through some PDFs detailing about general CIP Architecure, but could not find anything about the Request Id or Transaction Number. Also I have been searching the same in other Headers that are appended to the CIP requests before being actually sent to the ControlLogix, but no luck yet
no.gif


Pls help if anyone knows about request identification in CIP services for ControlLogix Processors
wow.gif
.
 
Hello,

The header has a field named "sender context". The ControlLogix will return the value the requestor puts in the field.

I do not know how you get your scada to allow you to set this field.

Good luck,

Mark
http://www.peakhmi.com/
 
Hi Mark,

Exactly which header of the request packet contains this information ? Do we have access to this header while forming the request packet ?
 
Hello,

I had a confusion, it was late. I thought it was EtherNet/IP the scada was using to communicate with the controllers. It has the sender context field of the header. For only CIP I do not have an answer. When using EtherNet/IP the interface handle for CIP is zero. Can it be used?

Good luck,

Mark
http://www.peakhmi.com/
 
Hi Mark,

Thanks for the suggestion 🍻.
I tried to manipulate the 'Sender Context' field while sending a CIP request.(Even when we are using CIP services, there is a field for Sender Context in the Encapsulation Header.)

Ideally whatever I am setting as 'Sender Context' in the request should be copied into the 'Sender Context' field of the response given by the ControlLogix. But it is again setting it to all 0's in the reply.

Following is the details of the request/response packets captured using a network analyzer.

Request Packet :
No. Time Source Destination Protocol Info
11 0.015887 172.17.www.zzz 172.17.xxx.yyy CIP Open Connection
Frame 11 (112 bytes on wire, 112 bytes captured)
Ethernet II, Src: Dell_cb:48:4d (00:18:8b:cb:48:4d), Dst: Rockwell_3e:fb:c1 (00:00:bc:3e:fb:c1)
Internet Protocol, Src: 172.17.www.zzz (172.17.www.zzz), Dst: 172.17.xxx.yyy (172.17.xxx.yyy )
Transmission Control Protocol, Src Port: docstor (1488), Dst Port: EtherNet/IP-2 (44818), Seq: 117, Ack: 99, Len: 58
Source port: docstor (1488)
Destination port: EtherNet/IP-2 (44818)
Sequence number: 117 (relative sequence number)
[Next sequence number: 175 (relative sequence number)]
Acknowledgement number: 99 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
Window size: 65437
Checksum: 0x4e5a [incorrect, should be 0x9e4b (maybe caused by "TCP checksum offload"?)]
[SEQ/ACK analysis]
[PDU Size: 58]
EtherNet/IP (Industrial Protocol), Session: 0x12020A00, Send Unit Data
Encapsulation Header
Command: Send Unit Data (0x0070)
Length: 34
Session Handle: 0x12020a00
Status: Success (0x00000000)
Sender Context: 000000000A000000
Options: 0x00000000
Command Specific Data:

Common Industrial Protocol
Service: Open Connection (Request)
Request Path Size: 4 (words)
Request Path: N50, Port: 13, Address: 1
Extended Symbol Segment (0x91)
Port Segment: Port: 13, Address: 1
Port: 13
Extended Link Address: FALSE
Link Address: 1
Command Specific Data :

Response Packet :
No. Time Source Destination Protocol Info
12 0.017985 172.17.xxx.yyy 172.17.www.zzz CIP Success
Frame 12 (108 bytes on wire, 108 bytes captured)
Ethernet II, Src: Rockwell_3e:fb:c1 (00:00:bc:3e:fb:c1), Dst: Dell_cb:48:4d (00:18:8b:cb:48:4d)
Internet Protocol, Src: 172.17.xxx.yyy (172.17.xxx.yyy ), Dst: 172.17.www.zzz (172.17.www.zzz )
Transmission Control Protocol, Src Port: EtherNet/IP-2 (44818), Dst Port: docstor (1488), Seq: 99, Ack: 175, Len: 54
Source port: EtherNet/IP-2 (44818)
Destination port: docstor (1488)
Sequence number: 99 (relative sequence number)
[Next sequence number: 153 (relative sequence number)]
Acknowledgement number: 175 (relative ack number)
Header length: 20 bytes
Flags: 0x18 (PSH, ACK)
Window size: 4096
Checksum: 0xc1f2 [correct]
[SEQ/ACK analysis]
[PDU Size: 54]
EtherNet/IP (Industrial Protocol), Session: 0x12020A00, Send Unit Data
Encapsulation Header
Command: Send Unit Data (0x0070)
Length: 30
Session Handle: 0x12020a00
Status: Success (0x00000000)
Sender Context: 0000000000000000
Options: 0x00000000
Command Specific Data
Common Industrial Protocol
Service: Open Connection (Response)
Status: Success
Command Specific data

As displayed above, I put 000000000A000000 in the 'Sender Context' in the request. But I am getting a 0000000000000000 in the Sender Context of the response.

Kindly someone help if anyone has any idea why this is happening :confused: .

Whatever I place in 'Senders Context' in request should exactly be filled in the response packet as well. This was the only option I had to set a transaction identifier in a CIP request 🔨 .
 
Yea, EtherNet/IP is very complicated.
I believe that you are doing a Connected Message. The Sender Context field in the reply from the server may not echo the same data sent from the Client in this case. I think that you can only count on the Send Context field if you are doing purely Unconnected messaging.

If you are doing Connected messaging, you should be able to use the "Sequence Count" field data as your transaction ID.
In your encapsulation header Command specific data, you should see a 0xB1 0x00 type ID with a 2 byte length field following and a 2 byte Sequence Count field following that. If you send this value (should be incremented every message), you should see the server echo this data.
 
Hi cjh,

Thanks for the reply.
Actually even I observed the same thing that you observed. But the Sequence number and Acknowledgement number are in TCP/IP header and not the Encapsulation header (displayed in the previous post).
Yes the Sequence number and its acknowledgement number can be used to form a Transaction Identifier in this case. But the problem is, can we access TCP/IP Header while sending the request and while processing its response :confused: ?
We were able to manipulate the Sender Context as it was a part of Encapsulation header, but manipulating TCP header seeems a bit difficult. Could you suggest any method to do it o_O ? Meanwhile I will also search for the same. But thx a lot for the quick reply. At least makes me think that we are on right track :p.
 
No, I am not talking about the TCP sequence number.
The number I am talking about is actually in the EtherNet/IP encapsulation command data.

Look for a 0xb1 in the data. You should see a length field following and then the sequence count.
 

Similar Topics

Hey All. I am working on my home automation system (again). I want to tinker around with my irrigation system. The system itself is pretty...
Replies
9
Views
1,758
I have a CompactLogix 5280 a I am trying to figure out which of the Ethernet ports are A and B. Not finding it in the manual and this is a new...
Replies
2
Views
1,170
I have a project I am designing a quote for an upgrade on. Per the schematic, the PLC I saw and an upload I took, it is run by an AB MicroLogic...
Replies
6
Views
2,638
I have a Versapro project file for a Versamax PLC. Need to identify what type of variables are suitable and made available for BMS system to...
Replies
3
Views
1,689
Hello, I'm trying to identify which Field devices is wired into which PLC Slot in the chassis. I am not familiar with PLC 5. I open the Code and I...
Replies
16
Views
5,960
Back
Top Bottom