Quote Originally Posted by Thomas_v2.1 View Post
You take nettoplcsim and write your own "nodaveserver.dll" which implements the H1 protocol, or simply the parts you need for testing. The Plc data is read out of Step7 Plcsim instead of a S5 Plc. You could convert the datablocks of the S5 program to S7 datablocks and load them into plcsim.

The S7 protocol as basically comparable with the H1 protocol. The S7 packs ISO on top of TCP (RFC1006), Sinec H1 ist directly on OSI layer 3 without TCP.
For some details of the Sinec H1 protocol you should take a look into the corresponding wireshark dissector source code (which is written by a Siemens engineer as far I know).
Hi Thomas,
I already thought on something like that. I even took a look to Wiresharks dissector.

Besides the 'time' problem, I just see another problem... the dissector addresses packet types and packet structures, but says nothing about protocol's state machine, am I right?

Do you know we're could I get information on that topic? Is there a public SINEC H1 protocol specification? I guess that if it's not too complicated I could reverse engineer it using Wireshark. But I'd prefer a good document instead

Thanks, Jon.