TripleFSniffer

Triple-F Sniffer manual

Juan Diez PerezStanislas Pinte

Darius Blasband

Table of ContentsIntroduction ............................................................................................................. vii1. Concepts and definitions ........................................................................................... 1

Profibus ............................................................................................................................ 1Euroradio .......................................................................................................................... 1SLL .................................................................................................................................. 1STL .................................................................................................................................. 1HDLC ............................................................................................................................... 1T.70 ................................................................................................................................. 1X.224 ............................................................................................................................... 1Application Layer ............................................................................................................... 1traffic capture file ................................................................................................................ 2Packet ............................................................................................................................... 2Message ............................................................................................................................ 2

2. First steps ............................................................................................................... 33. User interface components ......................................................................................... 4

Main Window .................................................................................................................... 4Additional Instance Mode ..................................................................................................... 4File Menu .......................................................................................................................... 4Navigation Menu ................................................................................................................ 4Tools Menu ....................................................................................................................... 5Report Menu ...................................................................................................................... 5SpyBox Menu .................................................................................................................... 5Euroradio Menu .................................................................................................................. 5Help menu ......................................................................................................................... 6Message Options ................................................................................................................. 6Dual Bus Settings ................................................................................................................ 7Regular Expression filter ...................................................................................................... 7Message List ...................................................................................................................... 8Message Columns ............................................................................................................... 9Column Selection .............................................................................................................. 10Protocol Verifications ........................................................................................................ 12Details Tree ..................................................................................................................... 12Status Bar ........................................................................................................................ 13Message Filters ................................................................................................................. 13Layers Selections .............................................................................................................. 15Connection Colors Management .......................................................................................... 15Time Settings ................................................................................................................... 16Time Display ................................................................................................................... 16Time Base ....................................................................................................................... 17Local Reference Time Computation ...................................................................................... 17Connection Management .................................................................................................... 17Preferences Dialog ............................................................................................................ 17CRC Verifications ............................................................................................................. 18FFFIS STM Report Dialog .................................................................................................. 19Record Dialog .................................................................................................................. 21SpyBox Administration Dialog ............................................................................................ 23Export Dialog ................................................................................................................... 26Euroradio Quality Of Service Dialog .................................................................................... 26Euroradio Key Management Dialog ...................................................................................... 27Euroradio SpyCable Dialog ................................................................................................. 28

4. Recording PROFIBUS traffic with the SpyBox hardware .............................................. 29First steps ........................................................................................................................ 29Recording filters ............................................................................................................... 29

iv

Recording session detection ................................................................................................ 295. Scripting .............................................................................................................. 30

Introduction ..................................................................................................................... 30High-level Architecture ...................................................................................................... 30Python language and .Net class libraries ................................................................................ 31Scripting interface ............................................................................................................. 31Scripting API Reference ..................................................................................................... 32init_session(fileNamePrefix) .............................................................................. 32handle_message(message, bus) .............................................................................. 33start_recording(message, bus) ............................................................................ 33record_message(message, bus) .............................................................................. 33stop_recording(message, bus) .............................................................................. 33end_session() ............................................................................................................ 33idle() .......................................................................................................................... 33Structure of the message parameter ....................................................................................... 33How to run your first script ................................................................................................. 34Complex scripting example: Server mode implementation ........................................................ 34

6. JRU Messages Decoding Plugin ............................................................................... 36Introduction ..................................................................................................................... 36How to activate the JRU plugin? .......................................................................................... 36JRU Plugin Screenshots ..................................................................................................... 37

7. Euroradio Plugin ................................................................................................... 38Introduction ..................................................................................................................... 38Serial modem recording specifics ......................................................................................... 38SpyCable design ............................................................................................................... 38

8. Command-line interface .......................................................................................... 40Command-line manual ....................................................................................................... 40

9. Configuration files ................................................................................................. 42Session Settings Config ...................................................................................................... 42Devices And Connections Configuration ............................................................................... 42

Index ...................................................................................................................... 44

Triple-F Sniffer manual

v

List of Examples5.1. A simple example ................................................................................................ 32

vi

IntroductionThis document contains everthing needed to use all the functions available in the Triple-F Sniffer applic-ation.

The scope of the Triple-F Sniffer application is a subset of the ERTMS specifications: to record, decodeand analyze communications, going over the PROFIBUS and Euroradio interfaces, complying the FFF-IS specifications. The two FFFIS interfaces are specified in UNISIG Subset-035 (FFFIS STM) andUNISIG Subset-037 (Euroradio FFFIS), available on the ERA[http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specifications.aspx] website.

The following features allow to conduct an in-depth analysis of FFFIS communications.

• PROFIBUS and Euroradio recording

• Message listing

• Message filtering

• Message content validation

• Quick navigation in message list

• Tree display showing all details, by protocol layer

• Message export in CSV/text format

• PDF report generation

They are discussed in details later on in the document. See section User interface components for a de-tailed description of each part of the User Interface.

vii

http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specifications.aspx

Chapter 1. Concepts and definitionsThe following explains the basic concepts related to the Triple-F Sniffer application. It only provides asuperficial explanation, and links to more complete information are provided at the end of this docu-ment, indicated by footnotes references.

Some definitions are extracted from official ERTMS specifications, available on the ERA[http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specifications.aspx] website.

ProfibusThe transmission medium used to communicate between devices. Full specifications can be found here[http://www.profibus.com/]. NOTE: "FDL" is frequently used as synonim for "Profibus", in the follow-ing text.

EuroradioThe protocol stack used to communicate between the train and the track, on top of GSM-R radio trans-mission. This protocol stack is fully specified in UNISIG Subset-037.

SLLSafe Link Layer, the protocol layer coming above the Profibus layer. It is fully defined in the Subset 57of the FFFIS STM specifications.

STLSafe Time Layer, the protocol layer coming above the SLL layer. It is fully defined in the Subset 56 ofthe FFFIS STM specifications.

HDLCHDLC is the protocol layer used in Euroradio communications for the data link layer. It is specified inthe ISO-7776 standard, available on the ISO website [http://www.iso.org/iso/en/ISOOnline.frontpage]with delta specifications in the UNISIG Subset-037.

T.70T.70 a protocol layer used in Euroradio communications for the network layer. It is specified in the ITU-T-70 standard, available on the ITU website [http://www.itu.int/home/index.html].

X.224X.224 the protocol layer used in Euroradio communications for the transport layer. It is specified in theISO-13239 standard, available on the ISO website [http://www.iso.org/iso/en/ISOOnline.frontpage].

Application Layer

1


http://www.profibus.com/

http://www.iso.org/iso/en/ISOOnline.frontpage

http://www.itu.int/home/index.html

http://www.iso.org/iso/en/ISOOnline.frontpage

The protocol layer coming above the STL layer, in the case of PROFIBUS communications, or abovethe X.224 layer, in the case of Euroradio communications. It is fully defined in the UNISIG Subset-058and Subset-026 (chapters 7 and 8) specifications.

traffic capture fileA file containing all messages exchanged during a finite amount of time, on a Profibus network. Thesefiles have usually the ".es3f" extension.

PacketA packet is the unit of data routed between a source address and a destination address in any network.Packets pertain to a protocol layer. Packets can be nested: a Packet of one protocol layer can containother Packets, pertaining to protocol layers located higher in the protocol stack.

MessageWe define a message by taking the lower level protocol layer: the Profibus layer. A Message is a Profib-us Packet, together with all Packets pertaining to upper protocol layers, encapsulated in the ProfibusPacket.

Concepts and definitions

2

Chapter 2. First steps

Procedure 2.1. Open a traffic capture file using the Triple-F Sniffer application.

To start using the Triple-F Sniffer tool, follow this procedure.

1. Double-click on the Triple-F Sniffer application icon on your desktop.

2. Use the File # New ( Ctrl-n) to open a new traffic capture file. Browse to the desired file, and clickon the Open button.

3. In the application window, you will see the FFFIS-STM messages contained in the traffic capturefile, or a warning showing that the traffic capture file is invalid.

3

Chapter 3. User interface componentsThe following provides in-depth explanation about every component making up the Triple-F Sniffer ap-plication. For each component, we have a general description, and a list of all possible user interactions.Detailed screenshots are provided when necessary.

Main WindowThis window is the application entry point. It hosts menus and controls to drive all the application func-tions. It is divided in three zones:

• Options cockpit. See section Message Options.

• The message list. See section Message List.

• The message details tree. See section Details Tree.

The window title bar can have different values. If a traffic capture file is currently opened, its value isfile name of this traffic capture file. Otherwise, it is "APPLICATION_NAME".

Example: Triple-F SnifferPRODUCT_VERSION: demo.es3f

The Main Window also contains a menu bar, giving access to the functions documented below

Additional Instance ModeIf a second instance of the Triple-F Sniffer application is opened (For example by double clicking onceagain on the Triple-F Sniffer icon), the window title bar contains SpyBox Connections Disabled. All thefeatures of the Triple-F Sniffer can be used as usual, excepted the SpyBox-related feature (see RecordDialog and SpyBox Administration Dialog).

In this mode, the

File Menu

• Open. Open a traffic capture file, and displays the messages in the Message List zone.

• Close. Close the currently opened file.

• Export. Exports message content in a specified format (CVS, TXT).

• Exit. Quit the application.

Navigation Menu

• Go to End. Make the Message List scroll to the last visible message of the opened traffic capture file.For a complete explanation of which messages of the traffic capture file are visible, see Message Fil-ters and Layer Selections sections.

• Next in Connection. Make the Message List scroll to the next message of the opened traffic capture

4

file, which belongs to the same SLL Connection. If there is no next Message, the message "No math-ing Message found" is displayed in the Status Bar. If there is a next Message, the message "Match-ing Message at index: " is displayed in the Status Bar, with the index of the corresponding Message.For a complete explanation of which messages of the traffic capture file are visible, see Message Fil-ters and Layer Selections sections.

• Previous in Connection: Make the Message List scroll to the previous message of the opened trafficcapture file, which belongs to the same SLL Connection. The Status Bar message is the same as in"Next in Connection".

• Next of type: Make the Message List scroll to the next message of the same type as the currently se-lected message. The Status Bar message is the same as in "Next in Connection". The type of themessage is displayed in the Message Columns. See columns FDL, SLL and STL.

• Previous of type: Make the Message List scroll to the previous message of the same type as the cur-rently selected message. The Status Bar message is the same as in "Next in Connection".

• Next error: Make the Message List scroll to next Message which fails at least one. The ProtocolVerification.

• Previous error: Make the Message List scroll to previous Message which fails at least one . The Pro-tocol Verification.

Tools Menu

• Preferences: open the Preferences dialog.

• Station/Connections filters: open the Station/Connections filters dialog.

• Select Columns: open the Column Selection dialog.

• Connection Colors: open the Connection Colors selection dialog.

Report Menu

• Preferences: open the Report dialog.

SpyBox Menu

• Online Actions: open the Record Dialog.

Configure and Upload: open the SpyBox Administration Dialog .

Euroradio Menu

• SpyCable capture: open the Record Dialog.

Report: open the Euroradio Quality of Service Report Dialog .

User interface components

5

Key management: open the Euroradio Key Management Dialog .

Help menu

• Help. Displays the User Documentation in the Windows Help Browser

• About. Displays a Dialog showing product version information and license information.

Message OptionsThis user interface zone groups the following controls that give access to message display options:

• The Time Settings component.

• The Protocol Layers Selection component.

• The Connection/Station Filtering component.

• The Dual bus settings component.


6

• The Regular Expression filter component.

Dual Bus SettingsThe dual bus settings enable the user to control which bus will be displayed in the message list. Buschoice is mutually exclusive, i. e. you cannot display both messages from both bus at the same time.

Regular Expression filterThe Regular Expression filter enables the user to apply an additional message filter to the messages dis-played in the message list. The regular expression text specified by the user will be checked against thesummary (For more information about the summary field, see Message Columns) field of each message.The message are displayed only if their summaries matches the regular expression.

The filter is only applied if the Enable checkbox is checked. The regular expression is evaluated after theuser leaves the regular expression text field, by pressing the tab key, or focusing another user interfacecomponent with the mouse.

Example: display all messages which summary field contain "STM-1":

Example: display all messages which summary field is exactly "STM-1":


7

For a complete reference on regular expression syntax, please check this website.[http://www.regular-expressions.info/]

Message List

This component displays the messages in the selected traffic capture file.

This component supports the following user interactions:

• Mouse wheel: In order to zoom the font size in and out, use the mouse wheel, combined with theShift key. The font size will be adjusted accordingly.

• Left click: Click on a message to select it. Once a message is selected details are displayed in the De-tails Tree component.

• Right click: gives access to context menu, with the choice between showing a Details Tree in a newwindow, and showing the Adjustment factor.

• Double message selection: If a single message is selected, and a second message is selected using aMouse Click with the Ctrl key pressed, the time difference between the two messages is displayed inthe Status Bar component.

• Dragging column header: column headers can be dragged by the mouse to another location in theheader row, so that they can be re-ordered. Ordering is saved when the user closes the application,


8

http://www.regular-expressions.info/

and restored when the user opens the application again.

• Select multiple messages: by selecting a first message using the mouse, then - while pressing theShift key - selecting a second one, all the message range between these two messages will be selec-ted as well. This multiple message selection can be used for message exports or reports.

Message ColumnsThis section details all the columns available in the Message List component. The following columns areavailable:

• Index: represents the index of the message in the currently opened traffic capture file. This index iszero-based (starts with zero).

• Time: displays the time value according to the current Time Settings. The time format used isHH:MM:SS.mmm for relative times, and DD/MM/YYYY HH:MM:SS for absolute times.

• Conn: displays the SLL connection, if the message is of the SLL protocol layer, or above. Thiscolumn receives a different background color for each connection. Messages belonging to theProfibus have a white background color.

Note: Multicast messages, even if they are not part of any connection, do have a connection value.This value is logical, and is added to enable the users to filter (see Message Filters)Multicast pack-ets, based on the virtual connection identifier.

The format used for the connection is SA:SSAP->DA:DSAP.

• SA: Source Address

• SSAP: Source Service Access Point

• DA: Destination Address

• DSAP: Destination Service Access Point

SA and DA are replaced by a logical device name, if a suitable definition is found in the Device AndConnection Configuration file.

• FDL: Profibus protocol layer packet type.

• SLL: SLL protocol layer packet type.

• STL: STL protocol layer packet type.

• Summary: synthetic information, specific for each packet type. The full packet message informationare available in the Detail Tree component

• DA: Destination address

• STL Delay: messages that pertain to the STL protocol layer have a STL timestamp attached (withthe exception of the SyncAndRefTime message, which carries time synchronization information.This timestamp was recorded at the time the message was sent from the station. Therefore, as the$APPLICATION_NAME application computes a Local Reference Time, a delay can be computedbetween the STL timestamp, and this Local Reference Time.

• SA: Source Address.


9

Column SelectionThis dialog controls which columns are displayed in the Message List component. The columns are dis-played in a Tree. If you select the "Columns" node, this will select all columns. Unselecting the"Columns node" will unselect all columns.

Pressing the Reset button will restore the selection at the state it was before modifying the selection.

Pressing the Apply button will close the dialog, and apply the new column selection to the Message Listcomponent.

Pressing the Cancel button closes the dialog, without any effect on the current column selection.


10


11

Protocol VerificationsThis section covers all checks made for each Message, at the protocol level. Besides the checks specifiedbelow, each protocol layer is verified, to detect message format errors. Error reporting is done for eachinvalid protocol layer.

• SDA Acks: at the FDL level, the Triple-F Sniffer checks that SDA packets are directly followed byan FDL ACK packet, or an FDL SC (Short Ack) packet.

• Monotonic sequence numbers: at the SLL level, all packets carry a sequence number. They must beincremented by 1 for each packet in the same SLL logical connection.

• CRC: SLL packets carry a CRC checksum. This CRC is verified. For more details about CRC veri-fications, see Crc Checks

• Multicast doubles: the SLL specifies that each multicast packet must be sent twice. the Triple-FSniffer checks that each packet in the same SLL logical connection is directly followed by its equi-valent.

• HDLC FCS check. the FCS (Frame Check Sequence) described in ISO-7776 are checked.

• Euroradio MAC check. The MAC (Message Authentication Code) specified in Subset-037 are com-puted and checked. The Triple-F Sniffer is only able to check the MACs for Euroradio packets if twoconditions are provided:

• The user has entered a shared authentication key using the Key Management Dialog.

• The X224 CR and CC packets are available in the recorded traffic. These packets contain theAU1 and AU2 authentication message, that contains necessary information to perform the MACchecks on the following Euroradio Safety Layer packets (AU3, AR and SaPDU).

For more information about the MACs, see Subset-037 paragraph 7.2.2.2 (Safety Procedures).

Details TreeThis component displays the complete details of the current message (the message selected in the Mes-sage List ) component.


12

The details are grouped by protocol layer, with a branch of the tree for each protocol layer. The detailsare formatted according to the underlying data type/representation:

• Raw bytes: each octet is displayed in hexadecimal format, ranging from 00 to FF.

• Hexadecimal: the value is displayed as an hexadecimal integer, with its integer value between paren-thesis. Example:

SD2: 0x68 (104)

• Composed octet: If an octet contains sub-fields, that only use some bits of the given octet, all sub-fields are displayed in a sub-branch of the tree display. For each sub-field, the relevant bits are dis-played, with a 1/0 value, and the bits pertaining to the other sub-fields are represented by a singledot. For single-bit sub-fields, the value is Set (1) or Not set (0). For multi-bits sub-fields, the integervalue is specified between parenthesis, with a constant name, if such constant is available in the pro-tocol layer specifications. Actually, single-bit fields are only relevant for the FDL protocol layer.

• Time (in miliseconds): formatted in HH:MM:SS.mmm format.

• Integer: no transformation is made.

• ASCII String: the octets are decoded in a legible ASCII string.

Status BarThis zone is used to display contextual information to the user. It can display the following information:

• Time difference between two messages in the Message List. See Time Column.

• Status of a Next/Previous message in Connection/of Type search. See Navigation Menu.

• Failed verifications details. See Protocol Verifications for the list of verifications.

Message FiltersThe message filters dialog enable the user to select the filters to apply on the message visible in the Mes-sage List component. It can be very useful to restrict the visible messages to a specific Source/Des-tination address, or to a specific SLL Connection.

A checkbox in the Options Cockpit controls filtering: if checked, the Message List component only dis-plays the messages that comply with the defined message filter. Otherwise, message filters are ignored.Unchecked by default.


13

The message filters dialog is split in three zones:

• Global Settings: controls how message filters are applied and combined.

• Combine: the logical operator used to combine the filters. If AND is selected, the messages to bedisplayed must match all the Devices and Connections criterias. If OR is selected, the messagesto be displayed must match one or more of the Devices and Connections criterias.

• OK button: applies the modifications to the Message List component.


14

• Cancel button: closes the dialog, discarding all changes.

• Devices: select the devices for which the Triple-F Sniffer application display Incoming (In) and Out-going (Out) messages.

• Connections: select the connections of which the application display the messages

Note: If available, the logical device and connection names substitute for the devices and connectionnames. To change the logical name for a station, click on its label and change the name. For more ex-planations on how to define logical Connection names, see Device And Connection Configuration

Layers SelectionsThis component contains one zone for every low-level protocol layer.

• FDL (see Profibus)

• SLL (see Safe Link Layer)

• STL (see Safe Time Layer)

In each protocol layer zone, there is a bold Protocol Layer checkbox, enabling or diabling the full layer.Individual checkboxes for packet types enable to show/hide specific packet types in the Message Listcomponent.

Layer protocol selection is not cumulative: if you uncheck a layer which sits above another layer (E.g.uncheck STL, while FDL and STL are checked.) it has NO influence on the underlying layers.

Connection Colors ManagementThis dialog enable the user to customize the colors used in the Connection Column, in the MessageList.


15

Each SLL Connection has a clickable label, which background color is the Connection's current color.To change it, click on the label, and select a new color.

New selected colors will be restored after Triple-F Sniffer application shutdown/restart.

Time SettingsThis group of components controls the value of the Time column in the Message List component.

The user can change the value of two variables: the time display and the time base. They are describedin detail in the following paragraphs.

Time DisplayThis variable determines the computation of the Time column. The computation is as follows:

• Relative: The time from the first message in the current traffic capture file

• Absolute: The absolute time, computed as follow: The file creation date of traffic capture file plusthe time from the first message in the current traffic capture file.

Example: if the traffic capture file has a file creation date equals to 1/1/2004 08:12:26.345, and theRelative Message time is 00:00 02:56.789, the Absolute message time is 1/1/2004 08:15.23.134.


16

• Delta: the time difference between the current message and the previous visible message in the Mes-sage List component.

Time BaseThis group of controls is only enabled when the Time Display group of control is on Relative or Abso-lute. It can take the following values:

• Local: The value computed according to the Time Display settings is unmodified.

• Reference: The value computed according to the Time Display settings is adjusted with a DynamicAdjustment Factor. This Adjustment Factor is computed according to the STL specifications. For de-tailed information, see Local Reference Time

Local Reference Time ComputationThe STL protocol layer defines how a station must compute the Local Reference Time in chapter 7, "Spe-cifications of functions". The Triple-F Sniffer application keeps track of the Sync And Reference Timepackets to compute an adjustment factor, between its Local Time (based on the timestamps on each mes-sage in the traffic capture file) and the Reference Clock. This adjustment factor is used to deduce theLocal Reference Time.

This Local Reference Time can be seen as the "Bus" time and be compared against the Local ReferenceTime on the devices connected to the Profibus.

Technically, the adjustment factor is computed by taking a moving average of the difference betweenthe Local Time and the Reference Time. The size used for the moving average computation is 16 ele-ments.

Connection ManagementPoint-to-Point Connections are defined in the SLL protocol layer. The Triple-F Sniffer application keepstrack of the Packet sequences that make up a SLL Point-to-Point Connection. SLL Packets that do notrespect the normal Connection Packet sequence (For example a Data Packet arriving after a DisconnectPacket) are marked as "Out-of-connection" SLL Packets.

See Message List for more details about "Out-of-connections" Packets.

Preferences Dialog


17

The Preferences dialog contains the following global application settings.

• Skip Tokens: if enabled, the application will not read FDL Tokens from the underlying traffic cap-ture file. This option is enabled by default. Be careful when disabling this function, as FDL Tokensmight account for 99% of the Profibus network traffic, and will have a high impact on Triple-FSniffer performance.

• Do not read whole file: When enabled, the application will not read the full traffic capture file. Mes-sages will be read just-in-time, when the user scrolls down the Message List, or navigates to the endof the Message List.

• Skip Multicast Doubles. The SLL specifies that Multicast packets must be sent twice on the Profibusbus. This option will disable the display of Multicast doubles.

• Subset-058 version. A dropdown component proposes the different available versions of the Subset-058 specifications that can be used to decode the STM Application Layer messages. The availableversions are version 2.1.1, version 2.1.4 and version 2.1.2F. For more information about the differentSubset-058 versions, contact the ERTMS STM workgroup.

CRC VerificationsThe messages belonging to the SLL protocol layer carry a CRC checksum. This CRC checksum is com-puted using information contained in the SLL Packet, as well as implicit information. For a complete ex-planation of CRC checksum computation, look into the SLL specifications.

For SLL Multicast packets, all the information needed to compute the CRC is contained in the Packet it-self. For other SLL Unicast Packets, the 32 bits Connection Sequence Number must be provided. theConnection Management component keeps track of the sequences of SLL connections as well as the


18

Connection Sequence Number, incremented for each Packet.

One problem with CRC verification is that the cause of a wrong CRC can be twofold:

• Error when computing the CRC checksum, in the software that originated the Message.

• Error when verifying the CRC checksum, because of wrong implicit information. For example, if thetraffic capture file is missing a previous SLL Packet, the Connection Management component hasnot been able to increment the Connection Sequence Number, therefore impacting the CRC check-sum verification.

FFFIS STM Report DialogThis dialog is used to generate PDF reports, based on traffic displayed in the analyzer. The report gener-ator takes only the filtered traffic into account, to enable the user to filter out some messages For moreinformation about message filtering, see Message Filters.


19

It supports the following options:

• Report File: specifies the file name to be used to save the generated report.

• Report Title: specifies the title that will be printed on the report's cover page

• Use relative times (D.HH:MM:SS): If checked, the times throughout the report will be printed in rel-ative times. Otherwise, absolute times will be used.


20

• Time Range: restrict the report generation to messages whose arrival time is greater or equal to the"From" value, and smaller or equal to the "To" value. "From" and "To" are expressed inHH:MM:SS, or in absolute time, regarding the value of the "Use relative time" option.

• Bandwidth reporting: if checked, this option will include bandwidth usage statistics in the report.

Bandwidth reporting supports the following options:

• Graph per Station: the report will contain a separate bandwidth graph for each station

• Graph per Connection: the report will contain a separate bandwidth graph for each SLL connec-tion

• Average window: This is the time in seconds used to compute the average bandwidth.

• Fixed scale: If checked, bandwidth graphs will use a fixed scale for the Y axis, in place of a pro-portional scale.

• Error reporting: if checked, the report will include information about detected errors in the differentprotocol layers. For more information, see Protocol Verification . Checkboxes allow the user to spe-cify the protocol layers for which errors must be reported. The following options control how errorsare displayed in the report:

• Error Expansion: It is possible to control what information is given about each error, by chosingto show no layers (None), just content of the problematic layer (Offending Layer) and all themessage content (All Layers).

• Error Grouping: groups the error by error Time, error source Station or error SLL Connection.

• Auto Preview: view the generated report in the default PDF reader after report generation.

Record Dialog


21

This dialog is used enable the user to record Profibus and/or Euroradio network traffic using the SpyBoxacquisition hardware.

To record some traffic, do the following:

• Enter the SpyBox I.P. address or hostname

• Select a file for the captured traffic

• Optionally, specify a script file to be runned on the recorded traffic. (See Scripting For more explan-ations.)

• Enable at least one of the following:

• one or both PROFIBUS bus

• one or multiple Euroradio Modems (Available only if the Euroradio Plugin is installed)

• For each bus, select a filtering level

• If one or more Euroradio modem is selected, specify the DATA and COMMAND baudrates, and therecording options. (See Modem Recording Specifics).


22

• Push the Record button

Once downloading, a feedback dialog is displayed, containg the following items:

• Duration: the amount of time since the beginning of the recording session

• Packets received: the total amount of PROFIBUS and/or Euroradio frames recorded

• Bytes received: the total amount of bytes recorded

• Scripting details: If a script file has been specified, this zone displays the standard output streams ofthe script. (See Scripting For more explanations.)

• "Open in sniffer..." checkbox: if checked, the captured traffic file will be opened in the Triple-FSniffer

• Stop button: if clicked, stop the recording session

SpyBox Administration Dialog


23

The SpyBox Administration Dialog enables you to perform the following tasks:

• Specify recording mode

• Specify storage policy

• Specify for each bus the filtering policy to be applied

• Enable one or both PROFIBUS bus for recording


24

• one or multiple Euroradio Modems (Available only if the Euroradio Plugin is installed)

• Download (and clear) the captured traffic stored in the SpyBox

For a detailed description of the SpyBox configuration settings, see Recording

When you click on Download, a download dialog pops up. This dialog enables the user to:

• Specify a partial download, with start and end date and time

• Enable session detection. When enabled, a new file will be created for each session detected by theSpyBox.

• Clear the captured traffic after download. The complete traffic stored in the SpyBox will be deleted,even if the user has chosen "partial download".


25

Export Dialog

This dialog provides the ability to export the content of FDL/SLL/STL/AppLayer messages to a formatsuitable for external processing. Two export formats are provided: CSV and TXT. The user can restrictthe messages and the protocol fields to be exported.

• CSV: CSV stands for "comma separated values", and is more or less formally specified here: ht-tp://www.ietf.org/internet-drafts/draft-shafranovich-mime-csv-05.txt. The user is free to chose thefield separator to be used in the CSV exported file (comma or semicolumn).

• TXT: raw text format, with a summary line for each message, followed by one additional line foreach field and its value, for all protocol layers.

Euroradio Quality Of Service DialogThis dialog enables the user to create a Subset-093[http://www.era.europa.eu/public/ERTMS/ERTMS%20Documentation/Informative%20specifications/Subset-093-v230.pdf] GSM-R Quality of Service report.


26

This dialog enables the user to specify the following items:

• File name: the file name under which the report will be saved.

• Report title: a title which will be inserted in the report.

• Report type: PDF or CSV (Comma-Separated Values). A CSV file is an easy way to import the datainto a spreadsheet for further reporting.

• CSV separator: only enabled for the CSV report format. This separator will be used to separate thevalues on each line. Default is ";".

• The Subset-093 statistics to be included in the generated report.

Euroradio Key Management DialogThis dialog enables the user to update the 64-bit encryption key shared between the train and the track.The key must be entered in the input text field as follows:

0A 0B 0C 01 02 03 FF FF 0A 0B 0C 01 02 03 FF FF 0A 0B 0C 01 02 03 FF FF

The introduced key is saved between sessions. After having changed the key, the user must close and re-


27

open the Euroradio *.es3f file to force MAC recalculation.

Euroradio SpyCable DialogThis dialog allows to record Euroradio traffic captured from a SpyCable connected to the computerwhere the Triple-F Sniffer is installed. If baudrates specified for DATA and COMMAND modes are dif-ferent, the state of the DCD flag is used to automatically switch between the two baudrates during re-cording (See Modem Recording Specifics).


28

Chapter 4. Recording PROFIBUS trafficwith the SpyBox hardware

This chapter describes how to use the dedicated SpyBox hardware to record PROFIBUS traffic.

First steps

Procedure 4.1. Record some Profibus traffic using the SpyBox acquisitionhardware.

1. Connect the SpyBox to an ethernet network using an ethernet cable, and connect the SpyBox to aProfibus network using a Profibus bus.

2. Use the File # Record to open the Record Dialog. Browse to the desired file, enable bus 0, and clickon the Record button.

3. Once you have recorded enough traffic, click on the Stop button of the recording progress window.

Recording filtersThe SpyBox enables you to filter the recorded traffic. As tokens and scans messages account for 98.5%of the PROFIBUS traffic, filtering them out enable the SpyBox to record 100 times more traffic, withthe same storage space. The following filters can be used, for each bus individually:

• Filter Off: records everything, including tokens and scans (most storage-intensive)

• Skip tokens: records everything but the tokens

• Skip scans/tokens: records everything but the tokens and the scans (most compact)

Recording session detectionThe recorded traffic downloaded from the SpyBox contains end-of-session markes. This end-of-sessionmarkers are inserted automatically each time that there is no SDN or SDA traffic on both PROFIBUSbuses for more than 5 seconds.

29

Chapter 5. ScriptingIntroduction

The scripting facilities in the Triple-F Sniffer enable the user to add new bahaviour to the PROFIBUS/SLL/STL/AppLayer recording process by writing short (and less short) scripts in the Python[http://www.python.org/] language.

NOTE: the scripting facilities are only available in the TripleFSniffer Lab Edition.

These scripts can operate in two different modes:

• Online mode: the script receives the stream of messages coming from the SpyBox. This mode isavailable from the Graphical User Interface and from the Command-line interface.

• Shell mode: the script receives the stream of messages coming from a previously recorded es3f file.This mode is only available from the Command-line interface.

Some examples of common scripting use cases:

• Filter out all tokens and scans in an .es3f file

• Sends a message on a TCP/IP socket when we see an STM-8 (Odometry) Application Packet con-taining V_NOM > X.

• Remotely control recording of es3f files.

• ... your imagination is the limit!

High-level ArchitectureThe scripting architecture is embedded in the message processing component of the Triple-F Sniffer.This message processing component is responsible for loading a stream of messages from a source (anonline connection to the SpyBox, or an .es3f file), and do something with it. Currently, the Triple-FSniffer is capable of two things: display the message stream in its graphical user interface, or record it ina file, for later analysis. With the scripting facilities, the user gets an access to the incoming messagestream, and can perform specific actions with these messages.

The following list of actions are possible:

• Custom actions before/after a scripting session. For example: initializing counters, network connec-tions, file descriptors, resource cleanup, etc.

• Start/Stop message stream recording, with control over the recorded file name.

• Filter which messages should be recorded.

• Perform any action for each message. For example: if this message contains an STM-15 packet, andthat the NID_STMSTATE is 6 (Hot Standby), then sends an http request to any host, with "HELLO"as content.

30

http://www.python.org/

Python language and .Net class librariesThe Triple-F Sniffer is built on top of the .Net framework. The python [http://www.python.org/] inter-preter embedded in the Triple-F Sniffer gives the script programmer to the whole .Net 2.0 class library.(See here [http://msdn2.microsoft.com/en-us/library/ms306608(en-us,vs.80).aspx] for a full reference ofthe .Net API).

Besides the full python language, and the complete .Net 2.0 class library, the scripts have access to theFFFIScom [http://www.ertmssolutions.com/fffiscom/csharpapi/] FDL/SLL/STL/ApplicationLayer en-coding/decoding library, to give a native, object interface to FDL/SLL/STL/AppLayer decoded mes-sages.

Scripting interfaceScript are written in the Python [http://www.python.org/] language. The script is loaded by the Triple-FSniffer when starting a scripting session. After script loading, the Triple-F Sniffer will check if the fol-lowing functions are defined in the user script:

• init_session(fileNamePrefix): perform initialization tasks.

• handle_message(message, bus): The place to put custom behavior that must happen for allspecific messages.

• start_recording(message, bus): Returns a (True, filename) tuple to start a new recordingsession on the given filename, (False, None) otherwise.

• record_message(message, bus): when the session is currently recording, returns True ifmessage should be recorded, False otherwise.

• stop_recording(message, bus): Returns True if the current recording session should bestopped, False otherwise.

• end_session(): perform cleanup tasks.

• idle(). This function is called when there is no incoming message for more than 1 second. If theuser throws an exception, the current recording session will be stopped, and end_session() will becalled.

After having loaded the script, the Triple-F Sniffer scripting engine will invoke the user-defined func-tions in the following order. It is not mandatory to define any functions, non-defined functions will beignored by the Triple-F Sniffer.

• Once at the beginnig of session, init_session(fileNamePrefix)

• For each message received from the underlying message source (SpyBox or file):

• handle_message(message, bus)

• If the Triple-F Sniffer is not currently recording: start_recording(message, bus).

• If the Triple-F Sniffer is currently recording:

• record_message(message, bus)

• stop_recording(message, bus)

Scripting

31


http://msdn2.microsoft.com/en-us/library/ms306608(en-us,vs.80).aspx

http://www.ertmssolutions.com/fffiscom/csharpapi/


• If the stop_recording(...) function has returned True, the functionsstart_recording(message, bus) and record_message(message, bus)are called again with the same message, so that the user can stop and directly start a new re-cording session on the same message.

• idle(...)is called each second, independently of the recording state.

• Once at the end of session, end_session()

Example 5.1. A simple example

#emptytest.py#This script does nothing.

def init_session(fileNamePrefix):pass

def handle_message(message, bus):pass

def record_message(message, bus):return False

def start_recording(message, bus):return (False, None)

def stop_recording(message, bus):return False

def end_session():pass

def idle():pass

Scripting API Reference

init_session(fileNamePrefix)

This function is called once at the beginning of the recording session. It receives two parameters:

• fileNamePrefix: The file name entered by the user if the script has been started from theGraphical User Interface, in the SpyBox Online Actions dialog, None otherwise.

This function returns no value.

Scripting

32

handle_message(message, bus)

This function is called for each message coming from the underlying source (file or spybox). It receivesas parameter the message and the bus number (0 or 1) on which this message has been captured.

This function returns no value.

start_recording(message, bus)

This function is called for each message coming from the underlying source (file or spybox), when thereis no active recording session. It receives as parameter the message and the bus number (0 or 1) onwhich this message has been captured.

This function returns a tuple containing two elements in the following order: a bool value and a string.The bool value set to True indicates that the Triple-F Sniffer should start a new recording session. Thestring is the name of the file on which the messages will be recorded.

record_message(message, bus)

This function is called for each message coming from the underlying source (file or spybox), when thereone active recording session. It receives as parameter the message and the bus number (0 or 1) on whichthis message has been captured.

This function returns a bool value. If the value is set to True, the passed message will be recorded. If setto False, this message will be skipped.

If this function is not defined, messages are recorded by default.

stop_recording(message, bus)

This function is called for each message coming from the underlying source (file or spybox), when thereone active recording session. It receives as parameter the message and the bus number (0 or 1) on whichthis message has been captured.

This function returns a bool value. The bool value set to True indicates that the Triple-F Sniffer shouldstop the current recording session.

end_session()

This function is called once at the end of the scripting session. It returns no value.

idle()

Structure of the message parameterThe functions called during the message processing cycle (handle_message(message, bus),record_message(message, bus), start_recording(message, bus) andstop_recording(...)) receive a message as parameter. The parameter type is FFFISStmPacket. Itis instantiated by the Triple-F Sniffer message processing and contains the decoded messages forPROFIBUS/SLL/STL/Application Layer.

The accessors message[Layers.PROFIBUS], message[Layers.SLL] and mes-sage[Layers.STL] give access to the respective decoded packet objects. An additional accessor,

Scripting

33

message.AppLayerContent returns the Application Layer wrapper, or None if this mes-sage[Layers.SLL] cannot be decoded as a valid Subset-058 application message. The mes-sage.AppLayerContent.Message accessor gives access to the Subset058Message[http://www.ertmssolutions.com/fffiscom/csharpapi/FFFISCOM.utils.Subset058Message.html] instance.

For a complete description of the API of decoded protocol objects, take a look at the FFFIScom APIdocumentation [http://www.ertmssolutions.com/fffiscom/csharpapi/].

How to run your first scriptThis section illustrates a very simple script to filter out all pure profibus traffic (tokens, scans, acks,short acks) from a previously recorded *.es3f file

#emptytest.py#This script filters out the tokens and scans from a previously recorded file.

def start_recording(message, bus):"""we start recording at the first packet, in the filtered.es3f file"""return (True, "filtered.es3f")

def record_message(message, bus):"""We accept only messages for which layer > PROFIBUS"""return (message.Layer > Layers.PROFIBUS):

Procedure 5.1. Run a simple script on an existing *.es3f file.

1. Open a system console, make sur the Triple-F Sniffer installation directory is your PATH.

2. Run the TripleFShell command as follow: TripleFShell --enablescript --scriptfile=simple.py --file=basic.es3f

3. Open the filtered.es3f to check the result.

Complex scripting example: Server mode im-plementation

Because the protocols requirements will be different for each user (TCP, UDP, HTTP, ...), the Triple-FSniffer do not ship a fixed remote control TCP/IP protocol. The purpose of this example is to show howto implement remote recording start and stop via TCP/IP, using the scripting interface.

#HttpRecordingServer.py#This script starts an HTTP server listening for HTTP POST requests, with#"START" or "STOP" in the request body. "START" and "STOP" will turn on/off#packets recording.

#import webserver component.

Scripting

34

http://www.ertmssolutions.com/fffiscom/csharpapi/FFFISCOM.utils.Subset058Message.html



#For the full API documentation of HttpListener class,#look there: http://msdn2.microsoft.com/en-us/library/34xswsd2(en-US,VS.80).aspxfrom System.Net import HttpListenerfrom System.Text.Encoding import UTF8from System.IO import StreamReader

#declare a global HttpListener variablehttpListener = HttpListener()#configure it to listen to port 8080httpListener.Prefixes.Add("http://*:8080/")

#store the desired recording state, defaulting to Falserecording = False

def init_session(fileNamePrefix):global httpListenerhttpListener.Start();#pass the function handle_http_request as HTTP requests handler, and#starts non-blocking listeninghttpListener.BeginGetContext(handle_http_request, None)

def start_recording(message, bus):global recordingreturn recording

def stop_recording(message, bus):global recordingreturn not recording

def end_session():global httpListener#stop listener at the end of the session.httpListener.Stop();

def handle_http_request(asyncResult):#HTTP request handler. We use .Net components#to read the request, and format an "OK" response.global httpListener, recordingcontext = httpListener.EndGetContext(asyncResult)requestBody = StreamReader(context.Request.InputStream).ReadToEnd()#handle the commandif requestBody == "START":recording = Trueif requestBody == "STOP":recording = Falseresponse = UTF8.GetBytes("OK")#Get a response stream and write the response to it.context.Response.ContentLength64 = response.Lengthcontext.Response.OutputStream.Write(response,0,response.Length)#You must close the output stream.context.Response.OutputStream.Close()#handle next requesthttpListener.BeginGetContext(handle_http_request, None)

Scripting

35

Chapter 6. JRU Messages DecodingPluginIntroduction

The JRU Messages Decoding Plugin enables the Triple-F Sniffer to decode the messages sent from theEVC to the JRU, when the following conditions apply:

NOTE: the JRU Messages Decoding Plugin requires that your license.txt file includes jru plugin activa-tion. Without that, the plugin configuration will have no effect.

• The Messages sent from the EVC to the JRU comply the format specified in UNISIG Subset-027version 2.2.10. (Check the ERA website to download[http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specifications.aspx] the Subset-027 specification)

• The EVC is using the SLL and STL protocol layers to connect to the JRU.

Some JRU messages contain embedded Euroradio, Eurobalise and Euroloop messages, encoded asdefined in UNISIG Subset-026 (Check the ERA website to download[http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specifications.aspx] the Subset-026 specification). These messages are also fully decoded in the Triple-F Sniffer.

How to activate the JRU plugin?1: Shut down the Triple-F Sniffer

2: Open the Triple-F Sniffer session settings XML configuration file with any text editor, and insert thefollowing XML fragment

<PluginConfig><JruPlugin

SourceAddress="..."DestinationAddress="..."Sap="..."/>

</PluginConfig>

right after the Colors XML fragment:

<Colors><Mappings>

...</Mappings>

</Colors>

36



3: Make sure that you match the SourceAddress, DestinationAddress and Sap attributes the ones used bythe EVC to connect to the JRU. If the addresses and/or sap do not match, the JRU messages will bemarked as Invalid messages by the Protocol Verification component.

4: Save the configuration file and restart the Triple-F Sniffer.

JRU Plugin ScreenshotsJRU messages without the plugin configured:

JRU messages with the JRU Plugin in action:

Some decoding details:

JRU Messages Decoding Plugin

37

Chapter 7. Euroradio PluginIntroduction

The Euroradio Plugin adds the following features to the Triple-F Sniffer:

• Decoding of the full Euroradio protocol stack: HDLC, T.70, X.224, Euroradio safety layer and Sub-set-026 application messages and packets, to decode the communications between an EVC and oneor more RBCs.

• SpyCable recording, eliminating the need of a SpyBox hardware, for Euroradio recording using justa Triple-F Sniffer-installed PC with a SpyCable. For more information about the SpyCable design,check the SpyCable section.

Serial modem recording specificsWhile recording traffic exchanged between a DTE (E.g. EVC )and a DCE (E.g. GSM-R Modem), thebaudrates used for the serial link between the DCE and DTE may vary. Support is provided in theTriple-F Sniffer through the option "Change BaudRate on DCD". This option enables the user to specifydifferent baudrates for COMMAND and DATA modes, and to configure the SpyCable recording toautomatically switch baudrate when the state of the DCD flag changes.

SpyCable designThe SpyCable is a cable designed on purpose for spying the signals between a computer and a Modem,connected by an RS-232 serial cable. It will send the RX and TX signals to the RX signals in two otherRS-232 cables, allowing another computer to observe the communication without any interference.

• A: to be connected to the cable going out of the DTE (E.g. EVC or RBC)

• B: to be connected to the cable going out of the DCE (I.e. modem)

• C: to be connected to the Triple-F Sniffer-equipped PC or SpyBox, for Upstream communication

• D: to be connected to the Triple-F Sniffer-equipped PC or SpyBox, for Downstream communication

The following schema sketch the design of a SpyCable, with all the necessary wire connections.

38

Euroradio Plugin

39

Chapter 8. Command-line interfaceThis chapter describes the Command-line interface, its usage options and its output.

Command-line manualThe application can be used in a command prompt to support traffic capture file validation, detaileddumps or scripting.

SnifferShell {--file} [-v] [--strictcrc] [--keeptokensandscans] [--bus0] [--bus1] [--sllchecks] [--raw][--enablescript] [--scriptfile] [--spyboxaddress] [--subset58version] [--euroradiomodems][--databaudrate] [--commandbaudrate] [--baudratefollowdcd] [--detectatpricommand]

• -t: "Text mode". If not specified, the Application will open its Graphical User Interface.

• --file=myfile.myext: "File". The traffic capture file to process.

• -v: "Verbose". Output complete Message information for each Messages. If not specified, the com-mand will only output the following: [bin]> ./SnifferShell --file=test.traceTrace successfully decoded 137373 packets [bin]>

• --strictcrc: "Strict CrC": verifies the CRC. In case of invalid CRC, an error will be outputted, andprocessing will stop.

• --keeptokensandscans: "Keep tokens and scans": read Profibus Token and Scans Packets. By default,these are skipped when recording from the command-line.

• --bus1: Specify PROFIBUS bus 1 as the master bus to be used to read a trace file. Bus 0 is the de-fault master bus.

• --sllchecks: Enforce SLL checks for command-line trace file reading. Otherwise, the SLL checks arenot enforced.

• --raw: output the raw bytes and status of each record in the trace file.

• --enablescript: turn on the scripting engine, for online or trace file evaluation.

• --scriptfile=myscriptfile.py specifiy the path to the script file to be executed.

• --spyboxaddress: when doing online scripting, specify the IP address of the SpyBox.

• --subset58version=[1|2|3] Specify the version of the subset-058 to be used for decoding. The num-bers correspond to the following subset-058 versions:

• 1: V2.1.1

• 2: V2.1.4

• 3: V2.1.2F

• --euroradiomodems: Comma-separated list of euroradio modems to be recorded from the SpyBox.Euroradio modems have indexes going from 0 to 3.

• --databaudrate: Baudrate to be used for euroradio recording in DATA mode.

• --commandbaudrate: Baudrate to be used for euroradio recording in COMMAND mode.

40

• --baudratefollowdcd: If this option is specified, euroradio recording will use the baudrates specifiedfor DATA and COMMAND according to the state of the DCD flag. (See Modem Recording Specif-ics).

• --capturescriptout: If this option is specified, the standard output streams and error streams are redir-ected to the Triple-F Sniffer log file, TripleFShell.log. By default, these output streams will appearon the console output.

Command-line interface

41

Chapter 9. Configuration filesThis chapter describes the various Triple-F Sniffer application configuration files.

Session Settings ConfigThis configuration file is located in the Triple-F Sniffer installation directory, and is called sniffer-config.xml.

The session settings config file stores information about the following User Interface items:

• traffic capture file: the path to the currently opened traffic capture file

• Window settings: the position of the Main Window component, its size, and its maximized/normalstate.

• Selected columns: the name of each selected columns. See Column Selection for more info on howto select column.

• Selected layers. the protocol layers selected for display. See Layer Selections for more info on howto select protocol layers.

• Column styles: the position and size of all columns (displayed or not).

• Message Filters Settings: the content of the Message Filters dialog.

• Connection colors: the content of the Connections Color Management dialog.

• Plugin configuration: the configuration of the various Protocol Plugins installed in the Triple-FSniffer. See for instance JRU Plugin

NOTE: This configuration file is overwritten every time the application is closed. If modified by handand invalid, its whole content will be discarded. It is created the first time the user exits the application.It is not advised to modify this file manually.

Devices And Connections ConfigurationThe column Connection in the Message List component contains the SLL Connection identifier. Theconnection identifier can be replaced by a logical connection identifier specified in the configurationfile.

To add a new logical device identifier, insert a new XML tag under the <DevicesMapping> element asin the following example:

<Device Name="LOGICAL DEVICE NAME" Address="2"/>

To add a new logical connection identifier, insert a new XML tag under the <DevicesMapping> elementsuch as the following example:

<LogicalConnection Name="STM-CONTROL-1" SourceDevice="2" SourcePort="11" DestinationDevice="5" DestinationPort="11"/>

42

Configuration files

43

Index

44

TripleFSniffer

Documents

Transcript of TripleFSniffer