Determining a PLC's IP Address using Wireshark

Introduction

There are many scenarios in which someone may want to connect to an Automation Runtime target, but they do not know the IP Address.

For example:

  • Collecting a system dump
  • Connecting via Automation Studio when SNMP is disabled
  • etc.

By connecting directly to the target and using Wireshark, we can find the IP address of the target.

Operation

  1. Download Wireshark at https://wireshark.org/.

  2. Install Wireshark per their installation instructions.

  3. Ensure the PLC is powered on and physically connect directly from your laptop/PC to the target’s ETH port.

  4. Select the Ethernet adapter responsible for the traffic between your laptop/pc and the target to begin capturing. In my case this is “Ethernet”.

  5. Power cycle the target.

  6. Wait a couple minutes until the target is fully booted and in a static state. Enter “arp” into the filter near the top of the window.

  7. Look for the “ARP Announcement” message whose source begins with “B&RIndus_”. The info column should then tell you the IP address of the target. In my case it is 192.168.1.100.

Windows Network Adapters

In order to determine the correct adapter, we can use the “Network Connections” application in Windows.

In a scenario like mine seen above, it may be difficult to determine which adapter is directly connected to the target. I was able to determine that “Ethernet” was the correct adapter because unplugging the physical connection to the target led to the adapter reporting as “Network cable unplugged.”

B&R MAC Addresses

Wireshark will automatically replace the start 00:60:65… of the MAC address with “B&RIndus_”. The MAC address of each Ethernet port is printed on the PLC. For this example, B&RIndus_30:12:45 represents the PLC with the MAC address 00:60:65:30:12:45.

7 Likes

It is much easier to use cmd and the command “arp -a”.

2 Likes

Also something to note:
arp -a might not work if the PLC was added newly to the network as the IP-Mac combination mighty not be updated yet.
In this case this has to be resolved first (e.g. by pinging the whole subnet once, or using nmap).

If you know the Mac-Address (can be found on the PLC) the following batch script snippet might also help.
Input parameter would be the Mac-Address.
PC and PLC must be in the same SubNet

FOR /F %%c IN ('arp -a ^| find "%~1"') DO SET FOUND_IP=%%~c && GOTO :Found

SET FOUND_IP=
PUSHD "%~dp0"
FOR /L %%i in (1,1,255) do ping -n 1 192.168.0.%%i >> %WORKSPACE%\mac-scan.txt
:: Alternatively and faster nmap used: 
:: nmap --unprivileged -sP /24 --host-timeout 30 >nul
arp -a > %WORKSPACE%\mac-scan.txt
POPD
FOR /F %%c IN ('arp -a ^| find "%~1"') DO SET FOUND_IP=%%~c
:Found
IF defined FOUND_IP (
	@ECHO MAC-Address '%~1' is mapped to IP=%FOUND_IP%
) ELSE (
	exit /b 1
)

:end
@ECHO IP_OF_TARGET=%FOUND_IP% >foundIP.properties
2 Likes

I’m always using nmap when I look for my PLC:

2 Likes

Hi Andrew!
Thanks for your post. I can confirm that it works! We used this trick to connect to an old machine which IP address was unknown and we managed to connect to it thanks to this procedure. It was really helpful, thanks.

3 Likes