PI TCPResponse Interface
From SCADApedia
OSISoft's PI TCPResponse interface will attempt to make a connection to a TCP port on the target system. If the target system replies, the TCPResponse interface will record the amount of time the target took to reply. Should the target system fail to reply, the TCPResponse interface will record the failure.
Contents |
TCP Ports
Transmission Control Protocol (TCP) is one of the main protocols of the Internet Protocol Suite. An IP address is given to a system in order facilitate transmission of messages from one system to another. TCP ensures a reliable transmission of data from a program on a system to another program on another system. These programs are assigned ports.
A common example compares the IP address to a street address and the TCP port to a door leading into or out of the house.
There are a large number of ports that are reserved for specific types of data. ModBus/TCP is typically assigned to port 502 and HTTP is assigned to port 80.
PI TCPResponse Interface
The interface works by sending a connection request to the appropriate TCP port on the target machine then measures the response time of that connection. The TCPResponse interface can make connections to the following protocols: DNS, FTP, HTTP, SMTP, POP3, IMAP, PI Server. The interface can also make a connection to generic TCP servers and measure the load time of a particular web page.
- Location 2 = 1: Indirect DNS server response time
- InstrumentTag: INPUT= Name or IP to resolve (Required); DEVICE=(supported for backwards compatibility);
- Location 2 = 2: FTP Server response time measurement
- InstrumentTag: DEVICE=Ftp server (Required); PORT=FTP port (Optional); REPLY=Expected server reply(Optional);
- Location 2 = 3: HTTP Server response time measurement
- InstrumentTag: DEVICE=HTTP server (Required); PORT=HTTP port (Optional); REPLY=Expected server reply(Optional);
- Location 2 = 4: SMTP Server response time measurement
- InstrumentTag: DEVICE=SMTP server (Required); PORT=SMTP port (Optional); REPLY=Expected server reply(Optional);
- Location 2 = 5: Generic TCP server application response time measurement
- InstrumentTag: DEVICE=TCP server (Required); PORT=TCP port (Optional);
- Location 2 = 7: POP3 Server response time measurement
- InstrumentTag: DEVICE=POP3 server (Required); PORT=POP3 port (Optional); REPLY=Expected server reply(Optional);
- Location 2 = 8: IMAP Server response time measurement
- InstrumentTag: DEVICE=IMAP server (Required); PORT=IMAP port (Optional); REPLY=Expected server reply(Optional);
- Location 2 = 9: PI Server response time measurement
- InstrumentTag: DEVICE=PI server (Required); PORT=PI port (Optional);
- Location 2 = 10: Direct DNS server response time measurement
- InstrumentTag: DEVICE=DNS server IP address (Required); INPUT=Name to resolve(Required);
- Location 2 = 11: measurement of Web page load time
- InstrumentTag: DEVICE=HTTP server (Required); PORT=HTTP port (Optional); PROT=Default HTTPS, Set to HTTP for plain text page (Optional); USER= Http login name (Optional); AUTH=BASIC or NTLM (Required if USER is set); REPLY=Expected server reply for successful load (Required if USER is set);
- Location 3 = Timeout duration in milliseconds.
- Location 5 = Enable debug mode.
PI TCPResponse in Portaledge Attack Detection
The OSISoft PI TCPResponse interface will be used to detect when a machine becomes unavailable or the response time changes. An attacker may try to assume the identity of another machine or perform a Man-In-The-Middle (MITM) attack. A MITM attack would produce slower response times. A machine may be taken offline during an attack. A machine with malware installed may also produce slower response times if the malware consumes cpu cycles, memory or network bandwidth.
