Wireshark to monitor OPC UA packets

Questions regarding the use of the C++ SDK for Server or Client development or integration into customer products ...

Moderator: uasdkcpp

Post Reply
induna23
Hero Member
Hero Member
Posts: 23
Joined: 02 Sep 2011, 06:15

Wireshark to monitor OPC UA packets

Post by induna23 »

Hi,

I am using wireshark-1.6.2 for monitoring the OPC UA packets.

Inspite of configuring the port to opcua default tcp port 4840 and setting the capture filteres, I am unable to view the packets. The protocol column displays it as "UNKNOWN".

Is the OPC UA AnsiC (or cpp code) messages encrypted ?

How else can I view them ?

Thanks & Regards,
Indu

gergap
Administrator
Administrator
Posts: 5
Joined: 08 Apr 2008, 14:41

Re:Wireshark to monitor OPC UA packets

Post by gergap »

Hi induna23

first of all you should check that you have a recent Wireshark version. OPC UA is supported since V1.6.

Be default the OPC UA plugin decodes only UA traffic on port 4840, but you can add additional ports in Edit->Preferences...->Protocols->OPCUA.

See http://picpaste.com/wireshark-IvzL6N9T.png

The plugin can only decode the unencrypted binary protocol. If the conversation is encrypted does not depend on the SDK, but on the options the client chooses when connecting (Security Policy None).

See screenshot of the UaExpert connection dialog:
http://picpaste.com/serversettings-fS5ksKgx.png

regards,
Gerhard Gappmeier, ascolab GmbH
Developer of the OPC UA Wireshark Plugin

induna23
Hero Member
Hero Member
Posts: 23
Joined: 02 Sep 2011, 06:15

Re:Wireshark to monitor OPC UA packets

Post by induna23 »

These are my wireshark settings :

I am using Wireshark version 1.6.2 which has opcua.dll - 1.0.0 plugin .

Also I have set the protocol preferences to default port 4840.
Also I am connecting to the server using UAExpert without any security policy. [None].

But when I filter on 'opcua' , I am unable to see anything.
If I do not enter any filter, I am able see few packets with protocol as UNKNOWN.

Were you able to view the packets by setting the above options on OPC UA Ansi C Server ( The one we download from OPC foundation ) ?

Thanks & Regards,
Indu

gergap
Administrator
Administrator
Posts: 5
Joined: 08 Apr 2008, 14:41

Re:Wireshark to monitor OPC UA packets

Post by gergap »

Hello again,

if it works with the ANSI C server wireshark is not the problem.

With what server does this problem occur?
Have you choosen a wrong endpoint maybe like HTTP?

Please post the wireshark capture file so that I can take a look on it.

regards,
Gerhard

induna23
Hero Member
Hero Member
Posts: 23
Joined: 02 Sep 2011, 06:15

Re:Wireshark to monitor OPC UA packets

Post by induna23 »

Hi Gerhard,

Thanks for the reply.

I am afraid,you haven't got the problem yet.

Adding answers to your queries:

>>if it works with the ANSI C server wireshark is not the problem.

No, It doesn't work.
I am using the OPC UA AnsiC server stack version 331 and UAExpert client version 1.01.320.0.132.
And I am connecting to the server with no security policy.


>>Please post the wireshark capture file so that I can take a look on it.
As I said before, there are no wirehshark packets with the opcua filter .

Hence I would like to know whether the same scenario works at your end. If it works there, then I can be sure that it could be some setting problem at my end.


Thanks & Regards,
Indu

gergap
Administrator
Administrator
Posts: 5
Joined: 08 Apr 2008, 14:41

Re:Wireshark to monitor OPC UA packets

Post by gergap »

Hi again

>>Thanks for the reply.
>>
>>I am afraid,you haven't got the problem yet.
>>
>>Adding answers to your queries:
>>
>>>>if it works with the ANSI C server wireshark is not the problem.
>>
>>No, It doesn't work.
>>I am using the OPC UA AnsiC server stack version 331 and UAExpert client version >>1.01.320.0.132.
>>And I am connecting to the server with no security policy.
>>
>>
>>>>Please post the wireshark capture file so that I can take a look on it.
>>As I said before, there are no wirehshark packets with the opcua filter .
I thought you see, packets but marked as UNKNOWN...
>>
>>Hence I would like to know whether the same scenario works at your end. If it works >>there, then I can be sure that it could be some setting problem at my end.

Yes it works here. I normally test it with all Unified Automation products.

If it doesn't capture data at all I can only imagine the following:
On Windows you cannot capture local traffic, even if you use a real IP, not only with the loopback address.
So this is a problem when client and server are on the same machine.
Remote traffic can be captured without any problems.

Also on Linux you don't have such a limitation, so you can capture local traffic without any problems.

Did you try remote communication, or local?

regards,
Gerhard.

induna23
Hero Member
Hero Member
Posts: 23
Joined: 02 Sep 2011, 06:15

Re:Wireshark to monitor OPC UA packets

Post by induna23 »

Hi Gerhard,

Wish you a very Happy New Year !!

Sorry for the late reply.

I have few queries regarding your previous post.

1 . >> On Windows you cannot capture local traffic, even if you use a real IP, not only with the loopback address.So this is a problem when client and server are on the same machine.

My Query : Did you mean running OPC client and OPC Server on the same Windows machine and wireshark opc plugin will not able to capture these packets ?
Correct me if I am wrong , but according to my understanding , wireshark generally captures all packets that are sent to and from the same machine [be it linux or windows].

2. Did you try remote communication, or local?

I tried local communication and remote communication.
This is how I tried remote communication : Run OPC Server and Wireshark on the same Windows machine.
Run OPC UA Expert on another Windows machine. Though the connection was established ,I could hardly see any packets captured with the 'opcua' filter on. Atleast I was hoping to see some opc ua packets sent from the OPC UA Server.

Please Note : I am using Windows as my development platform and also using OPC Unified Architecture QuickStart CPP server for my development. Hence will not be able to verify the same scenario on linux.

So could you please help me to figure out where exactly the problem is ?
a. Is it the wireshark setting at my end ?
b . Some problem with the opc stack i am using
c . Some problem with the opc plugin in wireshark ?

I am a bit confused .

Thanks & Regards,
Indu

gergap
Administrator
Administrator
Posts: 5
Joined: 08 Apr 2008, 14:41

Re:Wireshark to monitor OPC UA packets

Post by gergap »

Hi Indu

to 1)
yes, I meant running the OPC client and server on the same machine.
If you are communicating over the loopback interface wireshark is not able to capture any packet on Windows. The packets are routed OS internally an will never see the real network driver.
See also http://wiki.wireshark.org/CaptureSetup/Loopback

Capturing traffic that goes to or comes from another computer is no problem.

to 2)

Using the remote communication, that means server and client on different machines you should see the traffic in Wireshark, no matter on what side you are sniffing.

Indeed you should see a lot of traffic if you don't use capture filter: Windows broadcasts, DHCP sometimes, HTTP traffic when your are using a browser and so on.
If not you have a general problem with sniffing on your machine.

At the moment I really don't see what's going wrong at your side.
I try to describe a procedure that works here.

1.) Run Wireshark and the UaExpert on the same machine.
2.) Start wireshark with a capture filter on tcp port 4841. This only records what we want. The filter is literally "tcp port 4841".
3.) Use UaExpert and connect to opc.tcp://demo.ascolab.com:4841
3a) In the "Add Server" dialog double click on "" below Custom Discovery. Add the URL "opc.tcp://demo.ascolab.com:4841"
3b) Browse down and choose the "None - None" endpoint.
3c) Check the "Connect automatically" checkbox and click OK.
3d) Accept the certificate.
Now you should be connected with our public C++ demo server.
4.) You should see the traffic now on Wireshark. If the traffic is not shown as "opcua" then go to preferences and add the port "4841" to the OPC UA port list as desribed in a previous post.

I hope this works for you.

gergap
Administrator
Administrator
Posts: 5
Joined: 08 Apr 2008, 14:41

Re:Wireshark to monitor OPC UA packets

Post by gergap »

I created a short screen cast for the procedure above. http://www.filedropper.com/wiresharkopcua
This should make things clearer

induna23
Hero Member
Hero Member
Posts: 23
Joined: 02 Sep 2011, 06:15

Re:Wireshark to monitor OPC UA packets

Post by induna23 »

Thanks a lot for the detailed instruction.
That helped !
I am able to see the opcua packets now.

Regards,
Indu

Post Reply