Professional Documents
Culture Documents
iv
Triple-F Sniffer manual
v
List of Examples
5.1. A simple example ................................................................................................ 32
vi
Introduction
This document contains everthing needed to use all the functions available in the Triple-F Sniffer applic-
ation.
The scope of the Triple-F Sniffer application is a subset of the ERTMS specifications: to record, decode
and analyze communications, going over the PROFIBUS and Euroradio interfaces, complying the FFF-
IS specifications. The two FFFIS interfaces are specified in UNISIG Subset-035 (FFFIS STM) and
UNISIG Subset-037 (Euroradio FFFIS), available on the ERA
[http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specifications.as
px] website.
• Message listing
• Message filtering
They are discussed in details later on in the document. See section User interface components for a de-
tailed description of each part of the User Interface.
vii
Chapter 1. Concepts and definitions
The following explains the basic concepts related to the Triple-F Sniffer application. It only provides a
superficial explanation, and links to more complete information are provided at the end of this docu-
ment, indicated by footnotes references.
Some definitions are extracted from official ERTMS specifications, available on the ERA
[http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specifications.as
px] website.
Profibus
The transmission medium used to communicate between devices. Full specifications can be found here
[http://www.profibus.com/]. NOTE: "FDL" is frequently used as synonim for "Profibus", in the follow-
ing text.
Euroradio
The protocol stack used to communicate between the train and the track, on top of GSM-R radio trans-
mission. This protocol stack is fully specified in UNISIG Subset-037.
SLL
Safe Link Layer, the protocol layer coming above the Profibus layer. It is fully defined in the Subset 57
of the FFFIS STM specifications.
STL
Safe Time Layer, the protocol layer coming above the SLL layer. It is fully defined in the Subset 56 of
the FFFIS STM specifications.
HDLC
HDLC is the protocol layer used in Euroradio communications for the data link layer. It is specified in
the ISO-7776 standard, available on the ISO website [http://www.iso.org/iso/en/ISOOnline.frontpage]
with delta specifications in the UNISIG Subset-037.
T.70
T.70 a protocol layer used in Euroradio communications for the network layer. It is specified in the ITU-
T-70 standard, available on the ITU website [http://www.itu.int/home/index.html].
X.224
X.224 the protocol layer used in Euroradio communications for the transport layer. It is specified in the
ISO-13239 standard, available on the ISO website [http://www.iso.org/iso/en/ISOOnline.frontpage].
Application Layer
1
Concepts and definitions
The protocol layer coming above the STL layer, in the case of PROFIBUS communications, or above
the X.224 layer, in the case of Euroradio communications. It is fully defined in the UNISIG Subset-058
and Subset-026 (chapters 7 and 8) specifications.
Packet
A packet is the unit of data routed between a source address and a destination address in any network.
Packets pertain to a protocol layer. Packets can be nested: a Packet of one protocol layer can contain
other Packets, pertaining to protocol layers located higher in the protocol stack.
Message
We define a message by taking the lower level protocol layer: the Profibus layer. A Message is a Profib-
us Packet, together with all Packets pertaining to upper protocol layers, encapsulated in the Profibus
Packet.
2
Chapter 2. First steps
Procedure 2.1. Open a traffic capture file using the Triple-F Sniffer application.
2. Use the File # New ( Ctrl-n) to open a new traffic capture file. Browse to the desired file, and click
on the Open button.
3. In the application window, you will see the FFFIS-STM messages contained in the traffic capture
file, or a warning showing that the traffic capture file is invalid.
3
Chapter 3. User interface components
The following provides in-depth explanation about every component making up the Triple-F Sniffer ap-
plication. For each component, we have a general description, and a list of all possible user interactions.
Detailed screenshots are provided when necessary.
Main Window
This window is the application entry point. It hosts menus and controls to drive all the application func-
tions. It is divided in three zones:
The window title bar can have different values. If a traffic capture file is currently opened, its value is
file name of this traffic capture file. Otherwise, it is "APPLICATION_NAME".
The Main Window also contains a menu bar, giving access to the functions documented below
File Menu
• Open. Open a traffic capture file, and displays the messages in the Message List zone.
Navigation Menu
• Go to End. Make the Message List scroll to the last visible message of the opened traffic capture file.
For a complete explanation of which messages of the traffic capture file are visible, see Message Fil-
ters and Layer Selections sections.
• Next in Connection. Make the Message List scroll to the next message of the opened traffic capture
4
User interface components
file, which belongs to the same SLL Connection. If there is no next Message, the message "No math-
ing Message found" is displayed in the Status Bar. If there is a next Message, the message "Match-
ing Message at index: " is displayed in the Status Bar, with the index of the corresponding Message.
For a complete explanation of which messages of the traffic capture file are visible, see Message Fil-
ters and Layer Selections sections.
• Previous in Connection: Make the Message List scroll to the previous message of the opened traffic
capture file, which belongs to the same SLL Connection. The Status Bar message is the same as in
"Next in Connection".
• Next of type: Make the Message List scroll to the next message of the same type as the currently se-
lected message. The Status Bar message is the same as in "Next in Connection". The type of the
message is displayed in the Message Columns. See columns FDL, SLL and STL.
• Previous of type: Make the Message List scroll to the previous message of the same type as the cur-
rently selected message. The Status Bar message is the same as in "Next in Connection".
• Next error: Make the Message List scroll to next Message which fails at least one. The Protocol
Verification.
• Previous error: Make the Message List scroll to previous Message which fails at least one . The Pro-
tocol Verification.
Tools Menu
• Preferences: open the Preferences dialog.
Report Menu
• Preferences: open the Report dialog.
SpyBox Menu
• Online Actions: open the Record Dialog.
Euroradio Menu
• SpyCable capture: open the Record Dialog.
5
User interface components
Help menu
• Help. Displays the User Documentation in the Windows Help Browser
• About. Displays a Dialog showing product version information and license information.
Message Options
This user interface zone groups the following controls that give access to message display options:
6
User interface components
The filter is only applied if the Enable checkbox is checked. The regular expression is evaluated after the
user leaves the regular expression text field, by pressing the tab key, or focusing another user interface
component with the mouse.
7
User interface components
For a complete reference on regular expression syntax, please check this website.
[http://www.regular-expressions.info/]
Message List
This component displays the messages in the selected traffic capture file.
• Mouse wheel: In order to zoom the font size in and out, use the mouse wheel, combined with the
Shift key. The font size will be adjusted accordingly.
• Left click: Click on a message to select it. Once a message is selected details are displayed in the De-
tails Tree component.
• Right click: gives access to context menu, with the choice between showing a Details Tree in a new
window, and showing the Adjustment factor.
• Double message selection: If a single message is selected, and a second message is selected using a
Mouse Click with the Ctrl key pressed, the time difference between the two messages is displayed in
the Status Bar component.
• Dragging column header: column headers can be dragged by the mouse to another location in the
header row, so that they can be re-ordered. Ordering is saved when the user closes the application,
8
User interface components
• Select multiple messages: by selecting a first message using the mouse, then - while pressing the
Shift key - selecting a second one, all the message range between these two messages will be selec-
ted as well. This multiple message selection can be used for message exports or reports.
Message Columns
This section details all the columns available in the Message List component. The following columns are
available:
• Index: represents the index of the message in the currently opened traffic capture file. This index is
zero-based (starts with zero).
• Time: displays the time value according to the current Time Settings. The time format used is
HH:MM:SS.mmm for relative times, and DD/MM/YYYY HH:MM:SS for absolute times.
• Conn: displays the SLL connection, if the message is of the SLL protocol layer, or above. This
column receives a different background color for each connection. Messages belonging to the
Profibus have a white background color.
Note: Multicast messages, even if they are not part of any connection, do have a connection value.
This value is logical, and is added to enable the users to filter (see Message Filters)Multicast pack-
ets, based on the virtual connection identifier.
SA and DA are replaced by a logical device name, if a suitable definition is found in the Device And
Connection Configuration file.
• Summary: synthetic information, specific for each packet type. The full packet message information
are available in the Detail Tree component
• STL Delay: messages that pertain to the STL protocol layer have a STL timestamp attached (with
the exception of the SyncAndRefTime message, which carries time synchronization information.
This timestamp was recorded at the time the message was sent from the station. Therefore, as the
$APPLICATION_NAME application computes a Local Reference Time, a delay can be computed
between the STL timestamp, and this Local Reference Time.
9
User interface components
Column Selection
This dialog controls which columns are displayed in the Message List component. The columns are dis-
played in a Tree. If you select the "Columns" node, this will select all columns. Unselecting the
"Columns node" will unselect all columns.
Pressing the Reset button will restore the selection at the state it was before modifying the selection.
Pressing the Apply button will close the dialog, and apply the new column selection to the Message List
component.
Pressing the Cancel button closes the dialog, without any effect on the current column selection.
10
User interface components
11
User interface components
Protocol Verifications
This section covers all checks made for each Message, at the protocol level. Besides the checks specified
below, each protocol layer is verified, to detect message format errors. Error reporting is done for each
invalid protocol layer.
• SDA Acks: at the FDL level, the Triple-F Sniffer checks that SDA packets are directly followed by
an FDL ACK packet, or an FDL SC (Short Ack) packet.
• Monotonic sequence numbers: at the SLL level, all packets carry a sequence number. They must be
incremented by 1 for each packet in the same SLL logical connection.
• CRC: SLL packets carry a CRC checksum. This CRC is verified. For more details about CRC veri-
fications, see Crc Checks
• Multicast doubles: the SLL specifies that each multicast packet must be sent twice. the Triple-F
Sniffer checks that each packet in the same SLL logical connection is directly followed by its equi-
valent.
• HDLC FCS check. the FCS (Frame Check Sequence) described in ISO-7776 are checked.
• Euroradio MAC check. The MAC (Message Authentication Code) specified in Subset-037 are com-
puted and checked. The Triple-F Sniffer is only able to check the MACs for Euroradio packets if two
conditions are provided:
• The user has entered a shared authentication key using the Key Management Dialog.
• The X224 CR and CC packets are available in the recorded traffic. These packets contain the
AU1 and AU2 authentication message, that contains necessary information to perform the MAC
checks on the following Euroradio Safety Layer packets (AU3, AR and SaPDU).
For more information about the MACs, see Subset-037 paragraph 7.2.2.2 (Safety Procedures).
Details Tree
This component displays the complete details of the current message (the message selected in the Mes-
sage List ) component.
12
User interface components
The details are grouped by protocol layer, with a branch of the tree for each protocol layer. The details
are formatted according to the underlying data type/representation:
• Raw bytes: each octet is displayed in hexadecimal format, ranging from 00 to FF.
• Hexadecimal: the value is displayed as an hexadecimal integer, with its integer value between paren-
thesis. Example:
• Composed octet: If an octet contains sub-fields, that only use some bits of the given octet, all sub-
fields are displayed in a sub-branch of the tree display. For each sub-field, the relevant bits are dis-
played, with a 1/0 value, and the bits pertaining to the other sub-fields are represented by a single
dot. For single-bit sub-fields, the value is Set (1) or Not set (0). For multi-bits sub-fields, the integer
value is specified between parenthesis, with a constant name, if such constant is available in the pro-
tocol layer specifications. Actually, single-bit fields are only relevant for the FDL protocol layer.
Status Bar
This zone is used to display contextual information to the user. It can display the following information:
• Time difference between two messages in the Message List. See Time Column.
• Failed verifications details. See Protocol Verifications for the list of verifications.
Message Filters
The message filters dialog enable the user to select the filters to apply on the message visible in the Mes-
sage List component. It can be very useful to restrict the visible messages to a specific Source/Des-
tination address, or to a specific SLL Connection.
A checkbox in the Options Cockpit controls filtering: if checked, the Message List component only dis-
plays the messages that comply with the defined message filter. Otherwise, message filters are ignored.
Unchecked by default.
13
User interface components
• Global Settings: controls how message filters are applied and combined.
• Combine: the logical operator used to combine the filters. If AND is selected, the messages to be
displayed must match all the Devices and Connections criterias. If OR is selected, the messages
to be displayed must match one or more of the Devices and Connections criterias.
14
User interface components
• Devices: select the devices for which the Triple-F Sniffer application display Incoming (In) and Out-
going (Out) messages.
• Connections: select the connections of which the application display the messages
Note: If available, the logical device and connection names substitute for the devices and connection
names. To change the logical name for a station, click on its label and change the name. For more ex-
planations on how to define logical Connection names, see Device And Connection Configuration
Layers Selections
This component contains one zone for every low-level protocol layer.
In each protocol layer zone, there is a bold Protocol Layer checkbox, enabling or diabling the full layer.
Individual checkboxes for packet types enable to show/hide specific packet types in the Message List
component.
Layer protocol selection is not cumulative: if you uncheck a layer which sits above another layer (E.g.
uncheck STL, while FDL and STL are checked.) it has NO influence on the underlying layers.
15
User interface components
Each SLL Connection has a clickable label, which background color is the Connection's current color.
To change it, click on the label, and select a new color.
New selected colors will be restored after Triple-F Sniffer application shutdown/restart.
Time Settings
This group of components controls the value of the Time column in the Message List component.
The user can change the value of two variables: the time display and the time base. They are described
in detail in the following paragraphs.
Time Display
This variable determines the computation of the Time column. The computation is as follows:
• Relative: The time from the first message in the current traffic capture file
• Absolute: The absolute time, computed as follow: The file creation date of traffic capture file plus
the time from the first message in the current traffic capture file.
Example: if the traffic capture file has a file creation date equals to 1/1/2004 08:12:26.345, and the
Relative Message time is 00:00 02:56.789, the Absolute message time is 1/1/2004 08:15.23.134.
16
User interface components
• Delta: the time difference between the current message and the previous visible message in the Mes-
sage List component.
Time Base
This group of controls is only enabled when the Time Display group of control is on Relative or Abso-
lute. It can take the following values:
• Local: The value computed according to the Time Display settings is unmodified.
• Reference: The value computed according to the Time Display settings is adjusted with a Dynamic
Adjustment Factor. This Adjustment Factor is computed according to the STL specifications. For de-
tailed information, see Local Reference Time
This Local Reference Time can be seen as the "Bus" time and be compared against the Local Reference
Time on the devices connected to the Profibus.
Technically, the adjustment factor is computed by taking a moving average of the difference between
the Local Time and the Reference Time. The size used for the moving average computation is 16 ele-
ments.
Connection Management
Point-to-Point Connections are defined in the SLL protocol layer. The Triple-F Sniffer application keeps
track of the Packet sequences that make up a SLL Point-to-Point Connection. SLL Packets that do not
respect the normal Connection Packet sequence (For example a Data Packet arriving after a Disconnect
Packet) are marked as "Out-of-connection" SLL Packets.
Preferences Dialog
17
User interface components
• Skip Tokens: if enabled, the application will not read FDL Tokens from the underlying traffic cap-
ture file. This option is enabled by default. Be careful when disabling this function, as FDL Tokens
might account for 99% of the Profibus network traffic, and will have a high impact on Triple-F
Sniffer performance.
• Do not read whole file: When enabled, the application will not read the full traffic capture file. Mes-
sages will be read just-in-time, when the user scrolls down the Message List, or navigates to the end
of the Message List.
• Skip Multicast Doubles. The SLL specifies that Multicast packets must be sent twice on the Profibus
bus. This option will disable the display of Multicast doubles.
• Subset-058 version. A dropdown component proposes the different available versions of the Subset-
058 specifications that can be used to decode the STM Application Layer messages. The available
versions are version 2.1.1, version 2.1.4 and version 2.1.2F. For more information about the different
Subset-058 versions, contact the ERTMS STM workgroup.
CRC Verifications
The messages belonging to the SLL protocol layer carry a CRC checksum. This CRC checksum is com-
puted using information contained in the SLL Packet, as well as implicit information. For a complete ex-
planation of CRC checksum computation, look into the SLL specifications.
For SLL Multicast packets, all the information needed to compute the CRC is contained in the Packet it-
self. For other SLL Unicast Packets, the 32 bits Connection Sequence Number must be provided. the
Connection Management component keeps track of the sequences of SLL connections as well as the
18
User interface components
One problem with CRC verification is that the cause of a wrong CRC can be twofold:
• Error when computing the CRC checksum, in the software that originated the Message.
• Error when verifying the CRC checksum, because of wrong implicit information. For example, if the
traffic capture file is missing a previous SLL Packet, the Connection Management component has
not been able to increment the Connection Sequence Number, therefore impacting the CRC check-
sum verification.
19
User interface components
• Report File: specifies the file name to be used to save the generated report.
• Report Title: specifies the title that will be printed on the report's cover page
• Use relative times (D.HH:MM:SS): If checked, the times throughout the report will be printed in rel-
ative times. Otherwise, absolute times will be used.
20
User interface components
• Time Range: restrict the report generation to messages whose arrival time is greater or equal to the
"From" value, and smaller or equal to the "To" value. "From" and "To" are expressed in
HH:MM:SS, or in absolute time, regarding the value of the "Use relative time" option.
• Bandwidth reporting: if checked, this option will include bandwidth usage statistics in the report.
• Graph per Station: the report will contain a separate bandwidth graph for each station
• Graph per Connection: the report will contain a separate bandwidth graph for each SLL connec-
tion
• Average window: This is the time in seconds used to compute the average bandwidth.
• Fixed scale: If checked, bandwidth graphs will use a fixed scale for the Y axis, in place of a pro-
portional scale.
• Error reporting: if checked, the report will include information about detected errors in the different
protocol layers. For more information, see Protocol Verification . Checkboxes allow the user to spe-
cify the protocol layers for which errors must be reported. The following options control how errors
are displayed in the report:
• Error Expansion: It is possible to control what information is given about each error, by chosing
to show no layers (None), just content of the problematic layer (Offending Layer) and all the
message content (All Layers).
• Error Grouping: groups the error by error Time, error source Station or error SLL Connection.
• Auto Preview: view the generated report in the default PDF reader after report generation.
Record Dialog
21
User interface components
This dialog is used enable the user to record Profibus and/or Euroradio network traffic using the SpyBox
acquisition hardware.
• Optionally, specify a script file to be runned on the recorded traffic. (See Scripting For more explan-
ations.)
• one or multiple Euroradio Modems (Available only if the Euroradio Plugin is installed)
• If one or more Euroradio modem is selected, specify the DATA and COMMAND baudrates, and the
recording options. (See Modem Recording Specifics).
22
User interface components
• Duration: the amount of time since the beginning of the recording session
• Packets received: the total amount of PROFIBUS and/or Euroradio frames recorded
• Scripting details: If a script file has been specified, this zone displays the standard output streams of
the script. (See Scripting For more explanations.)
• "Open in sniffer..." checkbox: if checked, the captured traffic file will be opened in the Triple-F
Sniffer
23
User interface components
The SpyBox Administration Dialog enables you to perform the following tasks:
24
User interface components
• one or multiple Euroradio Modems (Available only if the Euroradio Plugin is installed)
When you click on Download, a download dialog pops up. This dialog enables the user to:
• Specify a partial download, with start and end date and time
• Enable session detection. When enabled, a new file will be created for each session detected by the
SpyBox.
• Clear the captured traffic after download. The complete traffic stored in the SpyBox will be deleted,
even if the user has chosen "partial download".
25
User interface components
Export Dialog
This dialog provides the ability to export the content of FDL/SLL/STL/AppLayer messages to a format
suitable for external processing. Two export formats are provided: CSV and TXT. The user can restrict
the messages and the protocol fields to be exported.
• CSV: CSV stands for "comma separated values", and is more or less formally specified here: ht-
tp://www.ietf.org/internet-drafts/draft-shafranovich-mime-csv-05.txt. The user is free to chose the
field separator to be used in the CSV exported file (comma or semicolumn).
• TXT: raw text format, with a summary line for each message, followed by one additional line for
each field and its value, for all protocol layers.
26
User interface components
• File name: the file name under which the report will be saved.
• Report type: PDF or CSV (Comma-Separated Values). A CSV file is an easy way to import the data
into a spreadsheet for further reporting.
• CSV separator: only enabled for the CSV report format. This separator will be used to separate the
values on each line. Default is ";".
0A 0B 0C 01 02 03 FF FF 0A 0B 0C 01 02 03 FF FF 0A 0B 0C 01 02 03 FF FF
The introduced key is saved between sessions. After having changed the key, the user must close and re-
27
User interface components
28
Chapter 4. Recording PROFIBUS traffic
with the SpyBox hardware
This chapter describes how to use the dedicated SpyBox hardware to record PROFIBUS traffic.
First steps
Procedure 4.1. Record some Profibus traffic using the SpyBox acquisition
hardware.
1. Connect the SpyBox to an ethernet network using an ethernet cable, and connect the SpyBox to a
Profibus network using a Profibus bus.
2. Use the File # Record to open the Record Dialog. Browse to the desired file, enable bus 0, and click
on the Record button.
3. Once you have recorded enough traffic, click on the Stop button of the recording progress window.
Recording filters
The SpyBox enables you to filter the recorded traffic. As tokens and scans messages account for 98.5%
of the PROFIBUS traffic, filtering them out enable the SpyBox to record 100 times more traffic, with
the same storage space. The following filters can be used, for each bus individually:
• Filter Off: records everything, including tokens and scans (most storage-intensive)
• Skip scans/tokens: records everything but the tokens and the scans (most compact)
29
Chapter 5. Scripting
Introduction
The scripting facilities in the Triple-F Sniffer enable the user to add new bahaviour to the PROFIBUS/
SLL/STL/AppLayer recording process by writing short (and less short) scripts in the Python
[http://www.python.org/] language.
NOTE: the scripting facilities are only available in the TripleFSniffer Lab Edition.
• Online mode: the script receives the stream of messages coming from the SpyBox. This mode is
available from the Graphical User Interface and from the Command-line interface.
• Shell mode: the script receives the stream of messages coming from a previously recorded es3f file.
This mode is only available from the Command-line interface.
• Sends a message on a TCP/IP socket when we see an STM-8 (Odometry) Application Packet con-
taining V_NOM > X.
High-level Architecture
The scripting architecture is embedded in the message processing component of the Triple-F Sniffer.
This message processing component is responsible for loading a stream of messages from a source (an
online connection to the SpyBox, or an .es3f file), and do something with it. Currently, the Triple-F
Sniffer is capable of two things: display the message stream in its graphical user interface, or record it in
a file, for later analysis. With the scripting facilities, the user gets an access to the incoming message
stream, and can perform specific actions with these messages.
• Custom actions before/after a scripting session. For example: initializing counters, network connec-
tions, file descriptors, resource cleanup, etc.
• Start/Stop message stream recording, with control over the recorded file name.
• Perform any action for each message. For example: if this message contains an STM-15 packet, and
that the NID_STMSTATE is 6 (Hot Standby), then sends an http request to any host, with "HELLO"
as content.
30
Scripting
Besides the full python language, and the complete .Net 2.0 class library, the scripts have access to the
FFFIScom [http://www.ertmssolutions.com/fffiscom/csharpapi/] FDL/SLL/STL/ApplicationLayer en-
coding/decoding library, to give a native, object interface to FDL/SLL/STL/AppLayer decoded mes-
sages.
Scripting interface
Script are written in the Python [http://www.python.org/] language. The script is loaded by the Triple-F
Sniffer when starting a scripting session. After script loading, the Triple-F Sniffer will check if the fol-
lowing functions are defined in the user script:
• handle_message(message, bus): The place to put custom behavior that must happen for all
specific messages.
• idle(). This function is called when there is no incoming message for more than 1 second. If the
user throws an exception, the current recording session will be stopped, and end_session() will be
called.
After having loaded the script, the Triple-F Sniffer scripting engine will invoke the user-defined func-
tions in the following order. It is not mandatory to define any functions, non-defined functions will be
ignored by the Triple-F Sniffer.
• For each message received from the underlying message source (SpyBox or file):
• handle_message(message, bus)
• record_message(message, bus)
• stop_recording(message, bus)
31
Scripting
#emptytest.py
#This script does nothing.
def init_session(fileNamePrefix):
pass
def handle_message(message, bus):
pass
def record_message(message, bus):
return False
def start_recording(message, bus):
return (False, None)
def stop_recording(message, bus):
return False
def end_session():
pass
def idle():
pass
• fileNamePrefix: The file name entered by the user if the script has been started from the
Graphical User Interface, in the SpyBox Online Actions dialog, None otherwise.
32
Scripting
handle_message(message, bus)
This function is called for each message coming from the underlying source (file or spybox). It receives
as parameter the message and the bus number (0 or 1) on which this message has been captured.
start_recording(message, bus)
This function is called for each message coming from the underlying source (file or spybox), when there
is no active recording session. It receives as parameter the message and the bus number (0 or 1) on
which this message has been captured.
This function returns a tuple containing two elements in the following order: a bool value and a string.
The bool value set to True indicates that the Triple-F Sniffer should start a new recording session. The
string is the name of the file on which the messages will be recorded.
record_message(message, bus)
This function is called for each message coming from the underlying source (file or spybox), when there
one active recording session. It receives as parameter the message and the bus number (0 or 1) on which
this message has been captured.
This function returns a bool value. If the value is set to True, the passed message will be recorded. If set
to False, this message will be skipped.
stop_recording(message, bus)
This function is called for each message coming from the underlying source (file or spybox), when there
one active recording session. It receives as parameter the message and the bus number (0 or 1) on which
this message has been captured.
This function returns a bool value. The bool value set to True indicates that the Triple-F Sniffer should
stop the current recording session.
end_session()
This function is called once at the end of the scripting session. It returns no value.
idle()
33
Scripting
For a complete description of the API of decoded protocol objects, take a look at the FFFIScom API
documentation [http://www.ertmssolutions.com/fffiscom/csharpapi/].
#emptytest.py
#This script filters out the tokens and scans from a previously recorde
def start_recording(message, bus):
"""
we start recording at the first packet, in the filtered.es3f file
"""
return (True, "filtered.es3f")
def record_message(message, bus):
"""
We accept only messages for which layer > PROFIBUS
"""
return (message.Layer > Layers.PROFIBUS):
1. Open a system console, make sur the Triple-F Sniffer installation directory is your PATH.
#HttpRecordingServer.py
#This script starts an HTTP server listening for HTTP POST requests, wi
#"START" or "STOP" in the request body. "START" and "STOP" will turn on
#packets recording.
#import webserver component.
34
Scripting
35
Chapter 6. JRU Messages Decoding
Plugin
Introduction
The JRU Messages Decoding Plugin enables the Triple-F Sniffer to decode the messages sent from the
EVC to the JRU, when the following conditions apply:
NOTE: the JRU Messages Decoding Plugin requires that your license.txt file includes jru plugin activa-
tion. Without that, the plugin configuration will have no effect.
• The Messages sent from the EVC to the JRU comply the format specified in UNISIG Subset-027
version 2.2.10. (Check the ERA website to download
[http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specification
s.aspx] the Subset-027 specification)
• The EVC is using the SLL and STL protocol layers to connect to the JRU.
Some JRU messages contain embedded Euroradio, Eurobalise and Euroloop messages, encoded as
defined in UNISIG Subset-026 (Check the ERA website to download
[http://www.era.europa.eu/public/ERTMS/Approved_Documents_List_of_mandatory_Specifications.as
px] the Subset-026 specification). These messages are also fully decoded in the Triple-F Sniffer.
2: Open the Triple-F Sniffer session settings XML configuration file with any text editor, and insert the
following XML fragment
<PluginConfig>
<JruPlugin
SourceAddress="..."
DestinationAddress="..."
Sap="..."
/>
</PluginConfig>
<Colors>
<Mappings>
...
</Mappings>
</Colors>
36
JRU Messages Decoding Plugin
3: Make sure that you match the SourceAddress, DestinationAddress and Sap attributes the ones used by
the EVC to connect to the JRU. If the addresses and/or sap do not match, the JRU messages will be
marked as Invalid messages by the Protocol Verification component.
37
Chapter 7. Euroradio Plugin
Introduction
The Euroradio Plugin adds the following features to the Triple-F Sniffer:
• Decoding of the full Euroradio protocol stack: HDLC, T.70, X.224, Euroradio safety layer and Sub-
set-026 application messages and packets, to decode the communications between an EVC and one
or more RBCs.
• SpyCable recording, eliminating the need of a SpyBox hardware, for Euroradio recording using just
a Triple-F Sniffer-installed PC with a SpyCable. For more information about the SpyCable design,
check the SpyCable section.
SpyCable design
The SpyCable is a cable designed on purpose for spying the signals between a computer and a Modem,
connected by an RS-232 serial cable. It will send the RX and TX signals to the RX signals in two other
RS-232 cables, allowing another computer to observe the communication without any interference.
• A: to be connected to the cable going out of the DTE (E.g. EVC or RBC)
The following schema sketch the design of a SpyCable, with all the necessary wire connections.
38
Euroradio Plugin
39
Chapter 8. Command-line interface
This chapter describes the Command-line interface, its usage options and its output.
Command-line manual
The application can be used in a command prompt to support traffic capture file validation, detailed
dumps or scripting.
• -t: "Text mode". If not specified, the Application will open its Graphical User Interface.
• -v: "Verbose". Output complete Message information for each Messages. If not specified, the com-
mand will only output the following: [bin]> ./SnifferShell --file=test.trace
Trace successfully decoded 137373 packets [bin]>
• --strictcrc: "Strict CrC": verifies the CRC. In case of invalid CRC, an error will be outputted, and
processing will stop.
• --keeptokensandscans: "Keep tokens and scans": read Profibus Token and Scans Packets. By default,
these are skipped when recording from the command-line.
• --bus1: Specify PROFIBUS bus 1 as the master bus to be used to read a trace file. Bus 0 is the de-
fault master bus.
• --sllchecks: Enforce SLL checks for command-line trace file reading. Otherwise, the SLL checks are
not enforced.
• --raw: output the raw bytes and status of each record in the trace file.
• --enablescript: turn on the scripting engine, for online or trace file evaluation.
• --spyboxaddress: when doing online scripting, specify the IP address of the SpyBox.
• --subset58version=[1|2|3] Specify the version of the subset-058 to be used for decoding. The num-
bers correspond to the following subset-058 versions:
• 1: V2.1.1
• 2: V2.1.4
• 3: V2.1.2F
40
Command-line interface
• --baudratefollowdcd: If this option is specified, euroradio recording will use the baudrates specified
for DATA and COMMAND according to the state of the DCD flag. (See Modem Recording Specif-
ics).
• --capturescriptout: If this option is specified, the standard output streams and error streams are redir-
ected to the Triple-F Sniffer log file, TripleFShell.log. By default, these output streams will appear
on the console output.
41
Chapter 9. Configuration files
This chapter describes the various Triple-F Sniffer application configuration files.
The session settings config file stores information about the following User Interface items:
• traffic capture file: the path to the currently opened traffic capture file
• Window settings: the position of the Main Window component, its size, and its maximized/normal
state.
• Selected columns: the name of each selected columns. See Column Selection for more info on how
to select column.
• Selected layers. the protocol layers selected for display. See Layer Selections for more info on how
to select protocol layers.
• Column styles: the position and size of all columns (displayed or not).
• Plugin configuration: the configuration of the various Protocol Plugins installed in the Triple-F
Sniffer. See for instance JRU Plugin
NOTE: This configuration file is overwritten every time the application is closed. If modified by hand
and invalid, its whole content will be discarded. It is created the first time the user exits the application.
It is not advised to modify this file manually.
To add a new logical device identifier, insert a new XML tag under the <DevicesMapping> element as
in the following example:
To add a new logical connection identifier, insert a new XML tag under the <DevicesMapping> element
such as the following example:
42
Configuration files
43
Index
44