"TPKT is an"encapsulation" protocol. It carries the OSI packet in its ownpacket's data payload and then passes the resulting structure to TCP, from thenon, the packet is processed as a TCP/IP packet. The OSI programs passing datato TPKT are unaware that their data will be carried over TCP/IP because TPKTemulates the OSI protocol Transport Service Access Point (TSAP)."
第6层COTP,按照维基百科的解释,COTP 是 OSI 7层协议定义的位于TCP之上的协议。COTP 以“Packet”为基本单位来传输数据,这样接收方会得到与发送方具有相同边界的数据;
TPKT(Transport Service ontop of the TCP):通过TCP的传输服务。介于TCP和COTP之间。属于传输服务类的协议,它为上层的COTP和下层TCP进行了过渡。功能为在COTP和TCP之间建立桥梁,其内容包含了上层协议数据包的长度。一般与COTP一起发送,当作Header段。我们常用的RDP协议(remote desktop protocol,windows的远程桌面协议)也是基于TPKT的,TPKT的默认TCP端口为102(RDP为3389),其实它本身为payload增加的数据并不多,主要就是以下几个:
version,1byte,表明版本信息
reserved,1byte,看到这个名字就知道是保留的了
length,2byte,包括payload和这三部分在内的总长度
接下我们用2018工控比赛流量包来实际看一眼:
可以看到,版本号是3号,长度为31,除此之外该层并没有什么有用信息了
3.COTP协议
COTP协议的全称是(Connection-Oriented Transport Protocol),即面向连接的传输协议,从这个名字就可以看出,它的传输必然是依赖于连接的,所以在传输数据前必然有类似TCP握手建立链接的操作。
S7comm (S7 Communication) is a Siemens proprietary protocol that runs between programmable logic controllers (PLCs) of the Siemens S7-300/400 family.
It is used for PLC programming, exchanging data between PLCs, accessing PLC data from SCADA (supervisory control and data acquisition) systems and diagnostic purposes.
The S7comm data comes as payload of COTP data packets. The first byte is always 0x32 as protocol identifier. Special communication processors for the S7-400 series (CP 443) may use this protocol without the TCP/IP layers.
OSI layer Protocol
7 Application Layer S7 communication
6 Presentation Layer S7 communication(COTP)
5 Session Layer S7 communication(TPKT)
4 Transport Layer ISO-on-TCP (RFC 1006)
3 Network Layer IP
2 Data Link Layer Ethernet
1 Physical Layer Ethernet
To establish a connection to a S7 PLC there are 3 steps:
Connect to PLC on TCP port 102
Connect on ISO layer (COTP Connect Request)
Connect on S7comm layer (s7comm.param.func = 0xf0, Setup communication)
Step 1) uses the IP address of the PLC/CP.
Step 2) uses as a destination TSAP of two bytes length. The first byte of the destination TSAP codes the communication type (1=PG, 2=OP). The second byte of the destination TSAP codes the rack and slot number: This is the position of the PLC CPU. The slot number is coded in Bits 0-4, the rack number is coded in Bits 5-7.
Step 3) is for negotiation of S7comm specific details (like the PDU size).
History
The protocol is used by Siemens since the Simatic S7 product series was launched in 1994. The protocol is also used on top of other physical/network layers, like RS-485 with MPI (Multi-Point-Interface) or Profibus.
Protocol dependencies
S7 communication consists of (at least) the following protocols:
COTP: ISO 8073 COTP Connection-Oriented Transport Protocol (spec. available as RFC905)
TPKT: RFC1006 "ISO transport services on top of the TCP: Version 3", updated by RFC2126
TCP: Typically, TPKT uses TCP as its transport protocol. The well known TCP port for TPKT traffic is 102.
Example traffic
Wireshark
The S7comm dissector is partially functional.
Preference Settings
(XXX add links to preference settings affecting how PROTO is dissected).
Example capture file
SampleCaptures/s7comm_downloading_block_db1.pcap s7comm: connecting and downloading program block DB1 into PLC
SampleCaptures/s7comm_program_blocklist_onlineview.pcap s7comm: connecting and getting a list of all available block in the PLC
SampleCaptures/s7comm_reading_plc_status.pcap s7comm: connecting and viewing the PLC status
SampleCaptures/s7comm_reading_setting_plc_time.pcap s7comm: connecting, reading and setting the time of the PLC
SampleCaptures/s7comm_varservice_libnodavedemo.pcap s7comm: running libnodave demo with S7-300 PLC, using variable-services with several areas
SampleCaptures/s7comm_varservice_libnodavedemo_bench.pcap s7comm: running libnodave demo benchmark with S7-300 PLC using variable-services to check the communication capabilities
Display Filter
A complete list of PROTO display filter fields can be found in the display filter reference
Show only the S7comm based traffic:
s7comm
Capture Filter
You cannot directly filter S7comm protocols while capturing.
S7comm uses port 102, so it is possible to capture S7comm data by using the capture filter
tcp port 102
External links
RFC1006 ISO Transport Service on top of the TCP Version: 3, based on ISO 8073
RFC905 ISO Transport Protocol Specification ISO DP 8073
Siemens - Information about the properties of the S7 protocol What properties, advantages and special features does the S7 protocol offer - Siemens Industry Online Support