Applies To:
  • CitectSCADA 5.xx

How can I use NetMon to trap and analyse network traffic from Citect? 

NetMon is a network packet trapping application from Microsoft which ships with Windows NT. There is also a more capable version included with Microsoft Systems Management Server. NetMon allows the user to establish packet filters and log traffic to effectively provide low level information on network activity. The operation of this application is essentially explained in the online help included with the product.

The problems begin when a particular event of interest occurs in the dead of night on some remote site; a finite log file size in NetMon soon gets overwritten with other traffic and the data surrounding the particular event is overwritten and lost. Previously the only way around this was to actually sit and watch the network, manually stopping the log when the particular traffic is freshly captured. However, there is a more automated solution to this problem and that is to get Citect to watch the network and control NetMon for you.

Consider the situation where a certain Citect event (like a I/O Device dropping offline) signals a network event which requires analysis. To get Citect to handle this itself, a Cicode function is run continuously which looks like this.


STRING sSendKeyStr;
INT iFileCount=0;

    Sleep(StrToInt(ParameterGet("NETMON", "STARTDELAY", "300")));
    WHILE 1 DO
        IF ParameterGet("NETMON", "ON", "0") = "1" THEN

            IF WndFind("Network Monitor") = 0 THEN

                sTemp = ParameterGet("NETMON", "CMD", "D:\nm\netmon.exe");

                Exec(sTemp, 6);

            IF TriggerFn() THEN
                iFileCount = iFileCount + 1;

                sFile = ParameterGet("NETMON", "SAVEFILE", "file")+iFileCount:#+".cap";

                /* To Save the Netmon log file */

                sSendKeyStr = "{F11}%FA" + sFile + "~";
                SendKeys("Network Monitor", sSendKeyStr);


                /* Start Capture again */
                SendKeys("Network Monitor", "{F10}");

                /* To Minimise Netmon */
                SendKeys("Network Monitor", "% n");

                /* Save SYSLOG.DAT */
                FileCopy("d:\winnt\syslog.dat", "d:\winnt\syslog-"+iFileCount:#+".dat", 0);
        Sleep(StrToInt(ParameterGet("NETMON", "POLLTIME", "30")));

As can be seen from the printout, the function sits in a hard loop and continuously checks the status of the [NetMon]On= parameter. Once this parm is detected to be true, NetMon is started using a command line as found in [NetMon]Cmd=. This example shows how to start NetMon using a presaved filter. This method allows the trap to be turned on or off remotely at runtime using Windows file sharing only.

CMD=d:\nm\netmon /capturefilter d:\nm\captures\ /autostart /net 2

The function then makes a call to TriggerFn to determine if the log is to be closed and saved. TriggerFn() returns a boolean and would typically be looking at I/O Devices (using IODeviceInfo) or anything really - this is basically where Citect checks for some special condition. The code then uses the SendKeys() function to send keystrokes to NetMon to stop the log and automatically save the logfile. The same method is then used to restart NetMon so it is ready to trap the next occurence of the event.

The file name is numerically rolled every cycle to prevent data loss through an accidental overwrite. In fact if the NetMon program strikes an unforeseen problem an pops up a dialog then this whole scheme comes off the rails. However, it is a good example of the use of SendKeys even so. SendKeys can be used in this way to take control of any app running alongside Citect.

Other parameters used in conjunction with this NetMon example are as follows.

CMD=d:\nm\netmon /capturefilter d:\nm\captures\ /autostart /net 2

For more information on the use of SendKeys(), check the Citect help.