CodeSys UDP Broadcast mystery

paulpotat
2022-09-09
2022-09-16
  • paulpotat

    paulpotat - 2022-09-09

    Hello,
    I'm trying to understand how the "Scan Network" function of CodeSys operates.
    I looked at the packets using wireshark and it looks like it sends an UDP frame on the broadcast address of the network and wait for answers:

    This broadcasted packet contains 20 bytes of data and looks like this :

    c5 74 40 03 00 20 b7 8b 03 8a 83 01 02 c2 00 04 01 dc 7d 06
    

    I tried to send this frame using a python script and I was able to get some answers from devices on the network ! However if the network switch (for example going from wifi to ethernet), it doesn't work anymore.

    It looks like these 20 bytes of data are changing based on the network / computer ?

    I was wondering if this was documented somewhere ? How is this frame built ?

    Thank you for your time,
    BR

     
  • paulpotat

    paulpotat - 2022-09-12

    Ok so far I understood this :
    - Byte[0:4] = Some sort of header (it never changes)
    - Byte 5 = Change depending on the interface type (10 for ethernet and 20 for WiFi)
    - Byte[6:7] = ? (can be set to 0 without issues)
    - Byte 8 = Always equals to 03
    - Byte 9 = ??? (can't be set to 0 otherwise devices won't answer the broadcast message)
    - Byte[10:11] = Changes depending on the interface type (0000 for ethernet and 8301 for WiFi)
    - Byte[12:15] = Always equals to 02c20004
    - Byte[16:19] = Count of UDP broadcast messages sent (can be set to 0 without issues)

    So now my frame for WiFI interfaces looks like this :

    c5 74 40 03 00 20 00 00 03 ?? 83 01 02 c2 00 04 00 00 00 00
    

    The only thing I really don't understand now is the 9th byte : what is it ? How is it computed ?
    It seems like it changes every time I restart my computer, but stays the same during the whole sessions afterwards...

    I hope someone can help me with this
    BR

     
  • paulpotat

    paulpotat - 2022-09-14

    After some investigation, it looks like the 9th byte changes depending on the network IP.
    For example on the same WiFI network :
    - if network ip is 192.168.100.xxx then byte 9 is "05"
    - if network ip is 192.168.99.xxx then byte 9 is "03"
    - if network ip is 192.168.43.xxx then byte 9 is "8A"
    - if network ip is 192.168.1.xxx then byte 9 is "34"

    I tried some math operations on the ip to get those values as results but I can't figure out how it's calculated...

     
  • paulpotat

    paulpotat - 2022-09-16

    Okay I finally understood this !
    The 9th byte is the last part of my IP address : for example if my ip is 192.168.1.42 then the 9th byte has to be equal to 42 (0x2A).

    So in case anybody needs this one day (who knows), to perform the same type of network scan CodeSys uses you have to send a UDP broadcast frame containing the following data :

    # WIFI
    c5 74 40 03 00 20 00 00 03 xx 83 01 02 c2 00 04 00 00 00 00
    
    # ETH
    c5 74 40 03 00 10 00 00 03 xx 00 00 02 c2 00 04 00 00 00 00
    

    Where "xx" is the last byte of your ip address.

    I don't know how it works on networks where the mask is not 255.255.255.0 though...

     

    Last edit: paulpotat 2022-09-16

Log in to post a comment.