capturing ethernet/ip with wireshark

Introduction 2/48

Capturing EtherNet/IP with Wireshark DOC190403AN01EN | Revision 2 | English | 2020-02 | Released | Public © Hilscher, 2019-2020

Table of Contents

1 Introduction ............................................................................................................................................. 3 1.1 About this Document ...................................................................................................................... 3 1.2 List of Revisions ............................................................................................................................. 3 1.3 Terms, Abbreviations and Definitions ............................................................................................ 4 1.4 Legal Notes .................................................................................................................................... 5

1.4.1 Copyright ........................................................................................................................................... 5 1.4.2 Important Notes ................................................................................................................................. 5 1.4.3 Exclusion of Liability .......................................................................................................................... 6 1.4.4 Export Regulations ............................................................................................................................ 6 1.4.5 Registered Trademarks ..................................................................................................................... 6

2 Descriptions and Requirements ........................................................................................................... 7 2.1 Descriptions.................................................................................................................................... 7 2.2 Structure for network recording ...................................................................................................... 7 2.3 Network capturing .......................................................................................................................... 8

3 Wireshark .............................................................................................................................................. 10 3.1 Introduction ................................................................................................................................... 10 3.2 History .......................................................................................................................................... 10 3.3 Technical Details .......................................................................................................................... 11

4 First Steps ............................................................................................................................................. 12 4.1 Installing the Wireshark software ................................................................................................. 12

4.1.1 Overview ......................................................................................................................................... 12 4.1.2 Requirements for installing Wireshark ............................................................................................. 12 4.1.3 Where to get Wireshark ................................................................................................................... 13 4.1.4 Step-by-Step instructions ................................................................................................................ 13 4.1.5 Update Wireshark ............................................................................................................................ 24 4.1.6 Update WinPcap ............................................................................................................................. 24 4.1.7 Update USBPcap ............................................................................................................................ 24 4.1.8 Uninstall Wireshark.......................................................................................................................... 25 4.1.9 Uninstall WinPcap ........................................................................................................................... 25 4.1.10 Uninstall USBPcap .......................................................................................................................... 25

4.2 Start Wireshark............................................................................................................................. 26 4.3 Welcome Screen .......................................................................................................................... 26

4.3.1 Menu ............................................................................................................................................... 27 4.3.2 Toolbar ............................................................................................................................................ 27 4.3.3 “Packet List” Pane ........................................................................................................................... 27 4.3.4 “Packet Details” Pane ...................................................................................................................... 28 4.3.5 “Packet Bytes” Pane ........................................................................................................................ 28

5 EtherNet/IP ............................................................................................................................................ 30 5.1 Hardware structure for an EtherNet/IP data analysis................................................................... 30

5.1.1 Monitoring of one ethernet port ....................................................................................................... 30 5.1.2 Monitoring of two ethernet ports ...................................................................................................... 32

5.2 Settings for recording with Wireshark .......................................................................................... 32 5.3 Recording network traffic ............................................................................................................. 36 5.4 Capturing and analysing network traffic ....................................................................................... 37

5.4.1 Filters ............................................................................................................................................... 38 5.4.2 Forward Open Service ..................................................................................................................... 42

6 Appendix ............................................................................................................................................... 45 6.1 List of Figures ............................................................................................................................... 45 6.2 List of Tables ................................................................................................................................ 46 6.3 Bibliography.................................................................................................................................. 47 6.4 Contacts ....................................................................................................................................... 48

Introduction 3/48


1 Introduction

1.1 About this Document

This manual contains installation and network recording instructions for the devices using the

Wireshark program. This manual will explain the basics and also some of the features that

Wireshark provides. As Wireshark has become a very complex program since the early days, only

the basic feature of Wireshark can be explained in this manual. By reading this manual, you will

learn how to install Wireshark, how to use the basic elements of the graphical user interface (such

as the menu) and what’s behind some of the advanced features that are not always obvious at first

sight.

1.2 List of Revisions

Table 1: List of Revisions

Rev Date Chapter Revisions

1 22.10.2019 all created

2 17.02.2020 footer Document name corrected

Introduction 4/48


1.3 Terms, Abbreviations and Definitions

Table 2: Terms, Abbreviations and Definitions

Term Description

ARP Address Resolution Protocol

ASIC application-specific integrated circuit

ATM Asynchronous Transfer Mode

BSD Berkeley Software Distribution

CFI Canonical Format ID

CIP Common Industrial Protocol

DHCP Dynamic Host Configuration Protocol

DLR Device Level Ring

FDDI Fiber Distributed Data Interface

GNU Unix-like operating system

GUI graphical user interface

IEEE 802.1q networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network

IP Internet Protocol

IrDA Infrared Data Association

IRT Isochronous real time

LAN Local Area Network

macOS graphical operating systems

mbH mit begrentzter Haftung

PC Personal Computer

PCP Priority Code Point

PPP Point-to-Point Protocol

PTCP Precision Transparent Clock Protocol

RAM Random-Access Memory

RT Real Time

TCI Tag Control Information

TCP Transmission Control Protocol

TPID Tag Protocol Identifier

USB Universal Serial Bus

USBPcap open-source USB sniffer for Windows

VID Virtual Local Area Network ID (VLAN ID)

VLAN Virtual Local Area Network

WinPcap open source library for packet capture and network analysis for Windows

WLAN Wireless Local Area Network

Introduction 5/48


1.4 Legal Notes

1.4.1 Copyright

© Hilscher Gesellschaft für Systemautomation mbH

All rights reserved.

The images, photographs and texts in the accompanying material (user manual, accompanying

texts, documentation, etc.) are protected by German and international copyright law as well as

international trade and protection provisions. You are not authorized to duplicate these in whole or

in part using technical or mechanical methods (printing, photocopying or other methods), to

manipulate or transfer using electronic systems without prior written consent. You are not permitted

to make changes to copyright notices, markings, trademarks or ownership declarations. The

included diagrams do not take the patent situation into account. The company names and product

descriptions included in this document may be trademarks or brands of the respective owners and

may be trademarked or patented. Any form of further use requires the explicit consent of the

respective rights owner.

1.4.2 Important Notes

The user manual, accompanying texts and the documentation were created for the use of the

products by qualified experts, however, errors cannot be ruled out. For this reason, no guarantee

can be made and neither juristic responsibility for erroneous information nor any liability can be

assumed. Descriptions, accompanying texts and documentation included in the user manual do

not present a guarantee nor any information about proper use as stipulated in the contract or a

warranted feature. It cannot be ruled out that the user manual, the accompanying texts and the

documentation do not correspond exactly to the described features, standards or other data of the

delivered product. No warranty or guarantee regarding the correctness or accuracy of the

information is assumed.

We reserve the right to change our products and their specification as well as related user

manuals, accompanying texts and documentation at all times and without advance notice, without

obligation to report the change. Changes will be included in future manuals and do not constitute

any obligations. There is no entitlement to revisions of delivered documents. The manual delivered

with the product applies.

Hilscher Gesellschaft für Systemautomation mbH is not liable under any circumstances for direct,

indirect, incidental or follow-on damage or loss of earnings resulting from the use of the information

contained in this publication.

Introduction 6/48


1.4.3 Exclusion of Liability

The software was produced and tested with utmost care by Hilscher Gesellschaft für

Systemautomation mbH and is made available as is. No warranty can be assumed for the

performance and flawlessness of the software for all usage conditions and cases and for the

results produced when utilized by the user. Liability for any damages that may result from the use

of the hardware or software or related documents, is limited to cases of intent or grossly negligent

violation of significant contractual obligations. Indemnity claims for the violation of significant

contractual obligations are limited to damages that are foreseeable and typical for this type of

contract.

It is strictly prohibited to use the software in the following areas:

for military purposes or in weapon systems;

for the design, construction, maintenance or operation of nuclear facilities;

in air traffic control systems, air traffic or air traffic communication systems;

in life support systems;

in systems in which failures in the software could lead to personal injury or injuries leading to

death.

We inform you that the software was not developed for use in dangerous environments requiring

fail-proof control mechanisms. Use of the software in such an environment occurs at your own risk.

No liability is assumed for damages or losses due to unauthorized use.

1.4.4 Export Regulations

The delivered product (including the technical data) is subject to export or import laws as well as

the associated regulations of different counters, in particular those of Germany and the USA. The

software may not be exported to countries where this is prohibited by the United States Export

Administration Act and its additional provisions. You are obligated to comply with the regulations at

your personal responsibility. We wish to inform you that you may require permission from state

authorities to export, re-export or import the product.

1.4.5 Registered Trademarks

Windows® 7, Windows® 8 and Windows® 10 are registered trademarks of Microsoft Corporation.

Wireshark® and the "fin" -Logo is a registered trademark of Gerald Combs.

Adobe-Acrobat® is a registered trademark of the Adobe Systems Incorporated.

EtherCAT® is a registered trademark of Beckhoff Automation GmbH, Verl, Germany, formerly

Elektro Beckhoff GmbH.

PROFIBUS® und PROFINET® are registered trademarks of PROFIBUS International, Karlsruhe.

All other mentioned trademarks are property of their respective legal owners.

Descriptions and Requirements 7/48


2 Descriptions and Requirements

2.1 Descriptions

This chapter describes the most important steps in short form for a recording with Wireshark.

Chapter 4: First Steps explains the steps how to download the Wireshark program. In addition, this

chapter describes how to update or uninstall Wireshark in addition to installing.

In the following, there is a closer look at the user interface of Wireshark and the most important

functions of the user interface are explained.

Chapter 5: EtherNet/IP starts into the EtherNet/IP topic and gives an overview and shows with an

example of how an analysis of the EtherNet/IP data frames works.

2.2 Structure for network recording

In the following you will find two possibilities to build the hardware to capture a Wireshark trace.

If no netANALYZER is available, the structure should be as follows:

Figure 1: Network Capture with Port-mirroring switch

Hub / Managed Switch

Adapter EtherNet/IP Scanner Adapter

PC with Wireshark



Further information on why port mirroring is used can be found in chapter 5.1 Hardware structure

for an EtherNet/IP data analysis.

For a recording with the netANALYZER, which captures all frames the structure is:

Figure 2: Network Capture with netANALYZER

Further information how the netANALYZER is used can be found in chapter 5.1: Hardware

structure for an EtherNet/IP data analysis.

2.3 Network capturing

Start the Wireshark capturing, after the preparation for a data analysis with Wireshark has been

made. In the following, you will find the steps to capture a trace in a short form:

Switch off EtherNet/IP Scanner/Adapter

Click on the button

Switch on Scanner/Adapter

Wait until Scanner/Adapter has booted up and exchanged data

Stop capturing with the button

Save capture with the button

netANALYZER Slave Ethernet/IP Scanner Slave

PC with Wireshark



For more detailed explanations, see chapter 5.3: Recording network traffic.

Wireshark 10/48


3 Wireshark

3.1 Introduction

Wireshark (“wire” and “shark”) is a free and open source packet analyser. It is used for network

troubleshooting, analysis, software and communications protocol development, and education.

Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark

issues.

Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user

interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other

Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI)

version called TShark. Wireshark, and the other programs distributed with it such as TShark, are

free software, released under the terms of the GNU General Public License.

3.2 History

In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn

more about networking so he started writing Ethereal (the original name of the Wireshark project)

as a way to solve both problems.

Ethereal was initially released after several pauses in development in July 1998 as version 0.2.0.

Within day’s patches, bug reports, and words of encouragement started arriving and Ethereal was

on its way to success.

Not long, after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it.

In October, 1998 Guy Harris was looking for something better than tcpview so he started applying

patches and contributing dissectors to Ethereal.

In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses

and started looking at it to see if it supported the protocols he needed. While it did not at that point

new protocols could be easily added. Therefore, he started contributing dissectors and contributing

patches.

The list of people who have contributed to the project has become very long since then, and almost

all of them started with a protocol that they needed that Wireshark or did not already handle.

Therefore, they copied an existing dissector and contributed the code back to the team.

When Gerald Combs switched from Ethereal Software Inc. to CACE Technologies, he launched

his own follow-up project and named it in 2006 Wireshark.

In 2006, the project moved house and re-emerged under a new name: Wireshark.

The first version of Wireshark was released on June 7, 2006 with the version number 0.99.1. The

precursor, Ethereal, is still available in version 0.99.0, but is no longer being developed.

In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release was

the first deemed complete, with the minimum features implemented. Its release coincided with the

first Wireshark Developer and User Conference, called Sharkfest.

Wireshark version 2.0 was released on November 19, 2015. The whole program was switched to

Qt and provided with a new, more intuitive interface. [1]

Wireshark 11/48


Figure 3: Official logo of the Wireshark Company

3.3 Technical Details

The Wireshark tool either displays the data in the form of individual packets during or after the

recording of data traffic from a network interface. The data is processed in a clearly arranged

manner with filters adapted to the respective protocols. Wireshark can also create statistics on the

data flow or use special filters to selectively extract binary content.

Network interfaces whose traffic can be analysed are primarily Ethernet with the various Internet

protocol families such as TCP/IP. In addition, Wireshark can also record and analyse wireless

traffic in the Wireless Local Area Network (WLAN) and Bluetooth connections. Using appropriate

modules, further common interfaces such as USB can be integrated into Wireshark. On Microsoft

Windows, Wireshark records traffic transparently using WinPcap. The prerequisite for this is

always that the respective computer on which Wireshark is operated has the corresponding

physical interfaces and the user has corresponding access authorizations for these interfaces.

In addition to the graphical Wireshark version, there is the TShark, which is based on the same

network code and is controlled by command line options. For both versions, the recording format of

the measured data was taken from tcpdump. Nevertheless, Wireshark can additionally import the

formats of other LAN analysers.

First Steps 12/48


4 First Steps

4.1 Installing the Wireshark software

4.1.1 Overview

This section describes how to install the Wireshark software on your development PC.

4.1.2 Requirements for installing Wireshark

General requirements

Operating system: Windows® 10, Windows® 8/8.1, Windows® 7, Windows® Vista,

Windows® Server 2016, Windows® Server 2012 R2, Windows® Server 2012, Windows®

Server 2008 R2 or Windows® Server 2008

Access to the internet is required for downloading “third-party” development tools like e.g.

WinPcap and USBPcap.

If applicable:

Uninstall previous versions of Wireshark from your development PC

Hardware requirements of development PC

Processor: Any modern 64-bit AMD64/x86-64 or 32-bit x86 processor.

RAM: 400 Mbyte min., larger capture files require more RAM.

Free hard disk space: 300 MByte min., Capture files require additional disk space.

Graphic resolution: 1024 x 768 pixels (1280 × 1024 or higher recommended) resolution with

at least 16-bit colour. 8-bit colour should work but user experience will be degraded. Power

users will find multiple monitors useful.

Network card: A supported network card for capturing

o Ethernet. Any card supported by Windows should work.

o 802.11. Capturing raw 802.11 information may be difficult without special

equipment.

o other media. These are ATM, Bluetooth, CiscoHDL, Ethernet, FDDI, FrameRelay,

IrDA, Loopback, ppp, TokenRing, USB, VLAN and WLAN.

Older versions of Windows, which are outside Microsoft’s extended lifecycle support window, are

no longer supported. It is often difficult or impossible to support these systems due to

circumstances beyond the control of Wireshark, such as third party libraries on which Wireshark

depend or due to necessary features that are only present in newer versions of Windows (such as

hardened security or memory management).

First Steps 13/48


4.1.3 Where to get Wireshark

You can get the latest copy of the program from the Wireshark website at

https://www.wireshark.org/download.html. The download page should automatically highlight the

appropriate download for your platform and direct you to the nearest mirror. The Wireshark

Foundation signs official Windows and macOS installers.

A new Wireshark version typically becomes available each month or two.

4.1.4 Step-by-Step instructions

Windows installer names contain the platform and version. For example, Wireshark-win64-

2.9.0.exe installs Wireshark 2.9.0 for 64-bit Windows. The Wireshark installer includes WinPcap,

which is required for packet capture.

Simply download the Wireshark installer from https://www.wireshark.org/download.html and

execute it. The Wireshark Foundation signs official packages. You can choose to install several

optional components and select the location of the installed package. The default settings are

recommended for most users.

Download Wireshark on your development PC.

Figure 4: Download the Wireshark installer

Install Wireshark on your development PC.

Double-click the Wireshark installer Wireshark-winXX-X.X.X.exe file.

https://www.wireshark.org/download.html

https://www.wireshark.org/download.html

First Steps 14/48


The Wireshark setup starts:

Figure 5: Setup Wireshark start screen

Click Next button.

The End-User License Agreement window opens:

Figure 6: End-User License Agreement screen

Click I Agree button.

First Steps 15/48


Figure 7: Wireshark components screen

Click or unclick in front of the components you want to install, then click Next button.

Figure 8: Wireshark additional tasks screen

Click or unclick in front of the additional tasks you want to set, then click Next button.

First Steps 16/48


The destination folder dialog opens:

Figure 9: Installation path dialog window

Accept the default path or click the Browse button to choose a different target directory for

your Wireshark installation, then click Next button.

Figure 10: Wireshark packet capture window

Wireshark requires either Npcap or WinPcap to capture live network data. Use Add/Remove

Programs first to uninstall any undetected old WinPcap versions, then Check the box in

front Install WinPcap, then click Next button.

First Steps 17/48


Figure 11: Wireshark USB capture window

Wireshark requires either Npcap or WinPcap to capture live network data. Use Add/Remove

Programs first to uninstall any undetected old USBPcap versions, then Check the box in

front Install USBPcap, then click Next button.

The Installing Wireshark window opens:

Figure 12: Wireshark installing screen

First Steps 18/48


The WinPcap Setup Wizard starts:

Figure 13: Setup WinPcap start screen

Click Next button.

The WinPcap License Agreement window opens:

Figure 14: WinPcap License Agreement screen

Click I Agree button.

First Steps 19/48


Figure 15: WinPcap Installation options screen

Check the box in front of Automatically start the WinPcap driver at boot time, then click

Install button.

Figure 16: WinPcap installing screen

First Steps 20/48


After successful WinPcap installation, the Completed WinPcap Setup Wizard message appears:

Figure 17: WinPcap Setup completed window

Click Finish button.

You have installed WinPcap on your PC. You now need to install the USBPcap packet capture, if

required.

The USBPcap License Agreement window opens:

Figure 18: First USBPcap License Agreement screen

Check the box in front of I accept the terms in the License Agreement, then click Next

button.

First Steps 21/48


The second USBPcap License Agreement window opens:

Figure 19: Second USBPcap License Agreement screen

Check the box in front of I accept the terms in the License Agreement, then click Next

button.

Figure 20: USBPcap installation options

Accept the selected default type of installation or change a different type for your USBPcap

installation, then click Next button.

First Steps 22/48


The destination folder dialog opens:

Figure 21: USBPcap installation folder

Accept the default path or click the Browse button to choose a different target directory for

your USBPcap installation, then click Next button.

After successful USBPcap installation, the completed USBPcap Setup Wizard message appears:

Figure 22: USBPcap installing screen

Click Close button.

First Steps 23/48


The Installing Wireshark window opens:

Figure 23: Wireshark installing screen

Wireshark is being installed on your development PC.

Figure 24: Installation complete screen

First Steps 24/48


After successful Wireshark installation, the Completing Wireshark Setup message appears:

Figure 25: Setup completed window

Click Finish button.

You have installed Wireshark on your PC. You now need to reboot the development PC to

complete the installation.

4.1.5 Update Wireshark

By default, the official Windows package will check for new versions and notify you when they are

available.

New versions of Wireshark are usually released every four to six weeks. Updating Wireshark is

done the same way as installing it. Simply download and start the installer exe. A reboot is usually

not required and all your personal settings remain unchanged.

4.1.6 Update WinPcap

New versions of WinPcap are less frequently available. You will find WinPcap update instructions

the WinPcap web site at https://www.winpcap.org. You may have to reboot your machine after

installing a new WinPcap version.

4.1.7 Update USBPcap

New versions of USBPcap are less frequently available. You will find USBPcap update instructions

the USBPcap web site at https://desowin.org/usbpcap. You may have to reboot your machine after

installing a new WinPcap version.

https://www.winpcap.org/

https://desowin.org/usbpcap

First Steps 25/48


4.1.8 Uninstall Wireshark

You can uninstall Wireshark using the Programs and Features control panel. Select the

“Wireshark” entry to start the uninstallation procedure.

The Wireshark uninstaller provides several options for removal. The default is to remove the core

components but keep your personal settings, USBPcap and WinPcap. USBPcap and WinPcap are

left installed by default in case other programs need it.

4.1.9 Uninstall WinPcap

You can uninstall WinPcap independently of Wireshark using the WinPcap entry in the Programs

and Features control panel. Remember that if you uninstall WinPcap you won’t be able to capture

anything with Wireshark.

4.1.10 Uninstall USBPcap

You can uninstall USBPcap independently of Wireshark using the USBPcap entry in the Programs

and Features control panel. Remember that if you uninstall USBPcap you won’t be able to capture

USB traffic with Wireshark.

First Steps 26/48


4.2 Start Wireshark

In the following chapters, some screenshots from Wireshark will be shown. As Wireshark runs on

many different platforms with many different window managers, different styles applied and there

are different versions of the underlying GUI toolkit used, your screen might look different from the

provided screenshots. But as there are no real differences in functionality these screenshots

should still be well understandable.

4.3 Welcome Screen

After starting Wireshark, the following window opens:

Figure 26: Wireshark welcome screen

The main window shows Wireshark as you would usually see it after some packets are captured or

loaded (how to do this will be described later).

Wireshark’s main window consists of parts that are commonly known from many other GUI

programs.

1. The menu (see 4.3.1: Menu) is used to start actions.

2. The main toolbar (see 4.3.2: Toolbar) provides quick access to frequently used items

from the menu.

3. The filter toolbar (see 5.4.1: Filters) provides a way to directly manipulate the currently

used display filter.

4. The packet list pane (see 4.3.3: “Packet List” Pane) displays a summary of each packet

captured. By clicking on packets in this pane you control what is displayed in the other

two panes.

5. The packet details pane (see 4.3.4: “Packet Details” Pane) displays the packet selected

in the packet list pane in more detail.

First Steps 27/48


6. The packet bytes pane (see 4.3.5: “Packet Bytes” Pane) displays the data from the

packet selected in the packet list pane, and highlights the field selected in the packet

details pane.

7. The status bar shows some detailed information about the current program state and the

captured data. [2]

4.3.1 Menu

Wireshark’s main menu is located in Windows at the top of the main window. An example is shown

in Figure 27: The menu.

NOTE: Some menu items will be disabled (greyed out) if the corresponding feature isn’t

available. For example, you cannot save a capture file if you haven’t captured or

loaded any packets.

Figure 27: The menu

4.3.2 Toolbar

The main toolbar provides quick access to frequently used items from the menu. This toolbar

cannot be customized by the user, but it can be hidden using the View menu if the space on the

screen is needed to show more packet data.

Items in the toolbar will be enabled or disabled (greyed out) similar to their corresponding menu

items. For example, in the image below shows the main window toolbar after a file has been

opened. Various file-related buttons are enabled, but the stop capture button is disabled because a

capture is not in progress.

Figure 28: The Wireshark toolbar

4.3.3 “Packet List” Pane

The packet list pane displays all the packets in the current capture file.

Figure 29: The "Packet List" Pane

Each line in the packet list corresponds to one packet in the capture file. If you select a line in this

pane, more details will be displayed in 4.3.4 “Packet Details” Pane and 4.3.5 “Packet Bytes” Pane

First Steps 28/48


While dissecting a packet, Wireshark will place information from the protocol dissectors into the

columns. As higher level protocols might overwrite information from lower levels, you will typically

see the information from the highest possible level only.

There are a lot of different columns available.

The default columns will show:

[ No. ] The number of the packet in the capture file. This number won’t change,

even if a display filter is used.

[ Time ] The timestamp of the packet. The presentation format of this timestamp

can be changed.

[ Source ] The address where this packet is coming from.

[ Destination ] The address where this packet is going to.

[ Protocol ] The protocol name in a short (perhaps abbreviated) version.

[ Length ] The length of each packet.

[ Info ] Additional information about the packet content. [7]

4.3.4 “Packet Details” Pane

The packet details pane shows the current packet (selected in Figure 30: The "Packet Details"

pane) in a more detailed form.

Figure 30: The "Packet Details" pane

This pane shows the protocols and protocol fields of the packet selected in 4.3.3: “Packet List”

Pane.

The protocols and fields of the packet shown in a tree, which can be expanded and collapsed. [8]

4.3.5 “Packet Bytes” Pane

The “Packet Bytes” pane shows a hex dump of the packet data. Each line contains the data offset,

sixteen hexadecimal bytes, and sixteen ASCII bytes. Non-printable bytes are replaced with a

period (“.”).

First Steps 29/48


Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark

has reassembled some packets into a single chunk of data. In this case you can see each data

source by clicking its corresponding tab at the bottom of the pane.

Figure 31: The “Packet Bytes” pane with tabs

Additional pages typically contain data reassembled from multiple packets or decrypted data.

The context menu (right mouse click) of the tab labels will show a list of all available pages. This

can be helpful if the size in the pane is too small for all the tab labels. [9]

EtherNet/IP 30/48


5 EtherNet/IP

5.1 Hardware structure for an EtherNet/IP data analysis

5.1.1 Monitoring of one ethernet port

A simple setup to monitoring one ethernet port requires an ethernet hub or alternatively a managed

switch. Using an ethernet switch, port connected to the PC’s ethernet adapter must be configured

as a mirror port. Using the switch management, you can select both the monitoring port and assign

a specific port you wish to monitor. Actual procedures vary between switch models. You may need

to use a terminal emulator, specialized SNMP client software or a Web browser. Caution: the

monitoring port must be at least as fast as the monitored port, or you will certainly lose packets.

Note that some switches might not support monitoring all traffic passing through the switch, only

traffic on a particular port. On those switches, you might not be able to capture all traffic on the

network, only traffic sent to or from some particular machine on the switch.

In the following there are two ways to build the hardware to accommodate a Wireshark trace.


Port mirroring is used on a network switch to send a copy of network packets seen on one switch

port (or an entire VLAN) to a network monitoring connection on another switch port.


Adapter EtherNet/IP Scanner Adapter

PC with Wireshark

EtherNet/IP 31/48


We use port mirroring to analyse problems with a device or network load or to diagnose faults. It

can be used to mirror inbound or outbound traffic (or both) on one or more interfaces.

Figure 33: Network Capture with netANALYZER

With netANALYZER, you can record EtherNet/IP process data and important communication

events of individual devices simply and without the need for parameterization. Connect the

netANALYZER to the EtherNet/IP network and record the connection between Scanner and

Adapter with Wireshark or the included netANALYZER Scope software.

netANALYZER Adapter Ethernet/IP Scanner Adapter

PC with Wireshark

EtherNet/IP 32/48


5.1.2 Monitoring of two ethernet ports

To monitor all incoming and outgoing frames of one device, wired in a chain with other devices, it

has to be connected with two hubs in the following way:

There are two ethernet adapters on the PC side necessary, traced by two individual (or one

common) Wireshark instances.


5.2 Settings for recording with Wireshark

In order to ensure that the most important Ethernet telegrams are recorded, all the TCP/IP

protocols of unused Ethernet interfaces must be deactivated during the Ethernet measurement

with Wireshark.

Press the keyboard shortcut [Windows - R] to display the Run window.


Adapter

EtherNet/IP Scanner

PC with Wireshark

and 2 ethernet ports


Adapter

EtherNet/IP 33/48


The Run window starts:

Figure 35: Run window

Enter the command ncpa.cpl

Click OK button.

This command opens the network connections on your Windows PC.

All network connections opens.

Figure 36: Network Connections screen

A connection with Ethernet 2 should be established. To do this, all remaining connections must be

disconnected so that all TCP/IP protocols of unused Ethernet interfaces will not send.

In the Network Connections window, click on the desired connection, which should not establish

communication with Wireshark.

Then select Disable this network device.

Disable all unused connections until only one connection remains.

EtherNet/IP 34/48


Figure 37: Network connection screen with one connection

DHCP must not be activated in the TCP/IP protocol properties, as otherwise Ethernet telegrams

will also be sent sporadically via the same interface. For this purpose, DHCP is deactivated in the

Internet protocol by assigning a fixed IP address.

Double-click on the desired connection in the Network Connections window.

The window status opens.

Figure 38: Status of the network connection

EtherNet/IP 35/48


Click the button Properties in the bottom left of the Status window.

The window Properties opens.

Figure 39: Properties of the network connection

After selecting Internet Protocol version 4 (TCP/IPv4), click the Properties button.

Now enter a fixed IP address.

Figure 40: Properties of Internet Protocol version 4 (TCP/IPv4)

EtherNet/IP 36/48


5.3 Recording network traffic

After this preparation for the data analysis with Wireshark has been made, the capturing starts. For

this it is advantageous if unnecessary packages will not be captured.

To avoid errors in the configuration of the device, the trace should be started before the device is

started. For this purpose, the recorded device should be turned off first, if possible.

Then the program Wireshark is started and with the click on the button the network traffic will

be recorded.

Afterwards, the device should be turned on while the network recording is still running and record

the device boot-up.

The recording can be stopped in the toolbar with the symbol .

To save the recording, click on "File" in the upper left corner and then on "Save as ...“ use the key

combination Ctrl + S or click on the symbol .

Then enter a name and the location and confirm it.

EtherNet/IP 37/48


5.4 Capturing and analysing network traffic

The netANALYZER, switched in-between two devices as illustrated in the figure below, passively

captures ethernet traffic. The output of the capturing is a Wireshark trace which contains all

transmitted ethernet frames with a time stamp.

Figure 41: Recording Scenario with netANALYZER Scope between Scanner and Adapter

Cabling can be done as follows:

Figure 42: Typical Application - The communication between a device and its connection

For devices with two Ethernet channels the analyser card NANL-C500-RE and the analyser device

NANL-B500G-RE capture the Ethernet frames and adds the time stamps to them. Therefore, the

netANALYZER device must be connected from any TAP to the Ethernet device connections via

two patch cables.

netANALYZER Adapter

EtherNet/IP Scanner

Adapter

EtherNet/IP 38/48


5.4.1 Filters

For better overview irrelevant frames may be faded out by using filters. Some essential filters are

explained here.

5.4.1.1 DHCP / BootP

Devices can be configured to obtain IP addresses from bootp/dhcp server, in this case the first two

respectively four frames from and to EIP device belong to BootP/DHCP negotiation.

Filter to use: dhcp (old filter: bootp)

Figure 43: DHCP/BootP filter

5.4.1.2 ARP

Once the device has an IP address, it checks if the IP address isn’t allocated to another device on

the bus, using four ARP (who has) frames. If no reply has been received, the device requests with

two Gratuitous ARP frames to resolve its own IP address.

Figure 44: ARP filter

5.4.1.3 ENIP / CIP / CIPCM / CIPIO

With “enip” most EtherNet/IP relevant frames are visible, including cip services and process data.

Figure 45: ENIP filter

EtherNet/IP 39/48


Using “cip“ filter, only CIP (Common Industrial Protocol) services are visible, also including

connection manager messages, process data frames are hidden.

Figure 46: CIP filter

With “cipcm” only connection manager services like Forward Open and Forward Close are visible.

Figure 47: CIPCM filter

For process data only use “cipio”

Figure 48: CIPIO filter

5.4.1.4 DLR

Device Level Ring consist mostly of Beacon and Announce frames which contain the current ring

status.

Figure 49: DLR filter

EtherNet/IP 40/48


The information which devices are present in the ring can be extracted from the Sign_on frame,

use the following filter: “enip.dlr.frametype==Sign_on”. Tracing at both ports of a device the

Sign_On frames differ in the own MAC entry.

Figure 50: Sign_On filter

To see VLAN tags in the frames the ethernet adapter needs proper setup, VLAN filtering has to be

disabled.

Figure 51: Disable VLAN filtering

EtherNet/IP 41/48


Note, not all ethernet adapters are able to pass VLAN tags to the driver, with such adapters

disabling filtering of VLAN has no effect, VLAN tags remain invisible.

To make an EtherNet/IP adapter send VLAN tags, 802.1Q Tag must be enabled by setting

attribute 1 of QoS object to “1” and power cycling of the device.

Figure 52: Enable 802.1Q Tag

Now you are able to see VLAN tag in your wireshark trace.

Figure 53: VLAN tag

EtherNet/IP 42/48


5.4.2 Forward Open Service

To check parameters of the running connection use “cipcm” filter to see Forward Open Service

request, useful information are RPI and connection timeout multiplier, but also connection points of

input and output assemblies.

Figure 54: Forward Open frame

Knowing connection timeout value (4x500ms) makes it possible to retrace the cause, of why

device aborted the communication. In the Figure 55: Connection timeout the last implicit data

frame was sent by adapter (connection target) with IP address 192.168.0.42, this frame is two

seconds after last implicit data frame of the connection originator with IP address 192.168.0.1, the

connection timed out because the connection originator stopped sending data, the trouble causing

device is the connection originator.

EtherNet/IP 43/48


Figure 55: Connection timeout

EtherNet/IP 44/48


Appendix 45/48


6 Appendix

6.1 List of Figures Figure 1: Network Capture with Port-mirroring switch ......................................................................................................... 7 Figure 2: Network Capture with netANALYZER .................................................................................................................. 8 Figure 3: Official logo of the Wireshark Company ............................................................................................................. 11 Figure 4: Download the Wireshark installer ....................................................................................................................... 13 Figure 5: Setup Wireshark start screen ............................................................................................................................. 14 Figure 6: End-User License Agreement screen ................................................................................................................ 14 Figure 7: Wireshark components screen ........................................................................................................................... 15 Figure 8: Wireshark additional tasks screen ...................................................................................................................... 15 Figure 9: Installation path dialog window .......................................................................................................................... 16 Figure 10: Wireshark packet capture window .................................................................................................................... 16 Figure 11: Wireshark USB capture window ....................................................................................................................... 17 Figure 12: Wireshark installing screen .............................................................................................................................. 17 Figure 13: Setup WinPcap start screen ............................................................................................................................. 18 Figure 14: WinPcap License Agreement screen ............................................................................................................... 18 Figure 15: WinPcap Installation options screen ................................................................................................................ 19 Figure 16: WinPcap installing screen ................................................................................................................................ 19 Figure 17: WinPcap Setup completed window .................................................................................................................. 20 Figure 18: First USBPcap License Agreement screen ...................................................................................................... 20 Figure 19: Second USBPcap License Agreement screen ................................................................................................. 21 Figure 20: USBPcap installation options ........................................................................................................................... 21 Figure 21: USBPcap installation folder .............................................................................................................................. 22 Figure 22: USBPcap installing screen ............................................................................................................................... 22 Figure 23: Wireshark installing screen .............................................................................................................................. 23 Figure 24: Installation complete screen ............................................................................................................................. 23 Figure 25: Setup completed window ................................................................................................................................. 24 Figure 26: Wireshark welcome screen .............................................................................................................................. 26 Figure 27: The menu ......................................................................................................................................................... 27 Figure 28: The Wireshark toolbar ...................................................................................................................................... 27 Figure 29: The "Packet List" Pane .................................................................................................................................... 27 Figure 30: The "Packet Details" pane................................................................................................................................ 28 Figure 31: The “Packet Bytes” pane with tabs ................................................................................................................... 29 Figure 32: Network Capture with Port-mirroring switch ..................................................................................................... 30 Figure 33: Network Capture with netANALYZER .............................................................................................................. 31 Figure 34: Network Capture with Port-mirroring switch ..................................................................................................... 32 Figure 35: Run window...................................................................................................................................................... 33 Figure 36: Network Connections screen ........................................................................................................................... 33 Figure 37: Network connection screen with one connection ............................................................................................. 34 Figure 38: Status of the network connection ..................................................................................................................... 34 Figure 39: Properties of the network connection ............................................................................................................... 35 Figure 40: Properties of Internet Protocol version 4 (TCP/IPv4) ....................................................................................... 35 Figure 41: Recording Scenario with netANALYZER Scope between Scanner and Adapter ............................................. 37 Figure 42: Typical Application - The communication between a device and its connection .............................................. 37 Figure 43: DHCP/BootP filter ............................................................................................................................................ 38 Figure 44: ARP filter .......................................................................................................................................................... 38 Figure 45: ENIP filter ......................................................................................................................................................... 38 Figure 46: CIP filter ........................................................................................................................................................... 39 Figure 47: CIPCM filter ...................................................................................................................................................... 39 Figure 48: CIPIO filter........................................................................................................................................................ 39 Figure 49: DLR filter .......................................................................................................................................................... 39 Figure 50: Sign_On filter ................................................................................................................................................... 40 Figure 51: Disable VLAN filtering ...................................................................................................................................... 40 Figure 52: Enable 802.1Q Tag .......................................................................................................................................... 41 Figure 53: VLAN tag .......................................................................................................................................................... 41 Figure 54: Forward Open frame ........................................................................................................................................ 42 Figure 55: Connection timeout .......................................................................................................................................... 43

Appendix 46/48


6.2 List of Tables Table 1: List of Revisions .................................................................................................................................................... 3 Table 2: Terms, Abbreviations and Definitions .................................................................................................................... 4

Appendix 47/48


6.3 Bibliography

[1] Wireshark. (n.d.). 1.4. A brief history of Wireshark. Retrieved April 25, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html.

[2] 3.3. The Main window. (n.d.). Retrieved April 26, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChUseMainWindowSection.html.

[3] DCE/RPC - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from

https://wiki.wireshark.org/DCE/RPC.

[4] PROFINET/RT - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from

https://wiki.wireshark.org/PROFINET/RT.

[5] Zhang, L., Streubühr, M., Glaß, M., Teich, J., von Schwerin, A., & Liu, K. (2012). System-Level

Modeling and Simulation of Networked PROFINET IO Controllers. In Proc. of the Embedded

World Conference. Nuremberg, DE: Kissingen, Germany: WEKA Fachzeitschriften Verlag.

[6] AddressResolutionProtocol - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from

https://wiki.wireshark.org/AddressResolutionProtocol.

[7] 3.17. The “Packet List” Pane. (n.d.). Retrieved April 26, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketListPaneSection.html.

[8] 3.18. The “Packet Details” Pane. (n.d.). Retrieved April 26, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html

[9] 3.19. The “Packet Bytes” Pane. (n.d.). Retrieved April 26, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketBytesPaneSection.html

Appendix 48/48


6.4 Contacts

Headquarters

Germany Hilscher Gesellschaft für Systemautomation mbH Rheinstrasse 15 65795 Hattersheim Phone: +49 (0) 6190 9907-0 Fax: +49 (0) 6190 9907-50 E-Mail: [email protected]

Support Phone: +49 (0) 6190 9907-99 E-Mail: [email protected]

Subsidiaries

China Hilscher Systemautomation (Shanghai) Co. Ltd. 200010 Shanghai Phone: +86 (0) 21-6355-5161 E-Mail: [email protected]

Support Phone: +86 (0) 21-6355-5161 E-Mail: [email protected]

France Hilscher France S.a.r.l. 69500 Bron Phone: +33 (0) 4 72 37 98 40 E-Mail: [email protected]

Support Phone: +33 (0) 4 72 37 98 40 E-Mail: [email protected]

India Hilscher India Pvt. Ltd. New Delhi - 110 025 Phone: +91 11 40515640 E-Mail: [email protected]

Italy Hilscher Italia srl 20090 Vimodrone (MI) Phone: +39 02 25007068 E-Mail: [email protected]

Support Phone: +39 02 25007068 E-Mail: [email protected]

Japan Hilscher Japan KK Tokyo, 160-0022 Phone: +81 (0) 3-5362-0521 E-Mail: [email protected]

Support Phone: +81 (0) 3-5362-0521 E-Mail: [email protected]

Korea Hilscher Korea Inc. Suwon, 443-810 Phone: +82-31-204-6190 E-Mail: [email protected]

Switzerland Hilscher Swiss GmbH 4500 Solothurn Phone: +41 (0) 32 623 6633 E-Mail: [email protected]

Support Phone: +49 (0) 6190 9907-99 E-Mail: [email protected]

USA Hilscher North America, Inc. Lisle, IL 60532 Phone: +1 630-505-5301 E-Mail: [email protected]

Support Phone: +1 630-505-5301 E-Mail: [email protected]

mailto:[email protected]
















capturing ethernet/ip with wireshark

Documents