Professional Documents
Culture Documents
DOC190403AN02EN
DOC190403AN02EN
www.hilscher.com
DOC190403AN01EN | Revision 2 | English | 2020-02 | Released | Public
Introduction 2/48
Table of Contents
1 Introduction ............................................................................................................................................. 3
1.1 About this Document ...................................................................................................................... 3
1.2 List of Revisions ............................................................................................................................. 3
1.3 Terms, Abbreviations and Definitions ............................................................................................ 4
1.4 Legal Notes .................................................................................................................................... 5
1.4.1 Copyright ........................................................................................................................................... 5
1.4.2 Important Notes ................................................................................................................................. 5
1.4.3 Exclusion of Liability .......................................................................................................................... 6
1.4.4 Export Regulations ............................................................................................................................ 6
1.4.5 Registered Trademarks ..................................................................................................................... 6
2 Descriptions and Requirements ........................................................................................................... 7
2.1 Descriptions.................................................................................................................................... 7
2.2 Structure for network recording ...................................................................................................... 7
2.3 Network capturing .......................................................................................................................... 8
3 Wireshark ..............................................................................................................................................10
3.1 Introduction...................................................................................................................................10
3.2 History ..........................................................................................................................................10
3.3 Technical Details ..........................................................................................................................11
4 First Steps .............................................................................................................................................12
4.1 Installing the Wireshark software .................................................................................................12
4.1.1 Overview ......................................................................................................................................... 12
4.1.2 Requirements for installing Wireshark ............................................................................................. 12
4.1.3 Where to get Wireshark ................................................................................................................... 13
4.1.4 Step-by-Step instructions ................................................................................................................ 13
4.1.5 Update Wireshark ............................................................................................................................ 24
4.1.6 Update WinPcap ............................................................................................................................. 24
4.1.7 Update USBPcap ............................................................................................................................ 24
4.1.8 Uninstall Wireshark.......................................................................................................................... 25
4.1.9 Uninstall WinPcap ........................................................................................................................... 25
4.1.10 Uninstall USBPcap .......................................................................................................................... 25
4.2 Start Wireshark.............................................................................................................................26
4.3 Welcome Screen ..........................................................................................................................26
4.3.1 Menu ............................................................................................................................................... 27
4.3.2 Toolbar ............................................................................................................................................ 27
4.3.3 “Packet List” Pane ........................................................................................................................... 27
4.3.4 “Packet Details” Pane ...................................................................................................................... 28
4.3.5 “Packet Bytes” Pane ........................................................................................................................ 28
5 EtherNet/IP ............................................................................................................................................30
5.1 Hardware structure for an EtherNet/IP data analysis...................................................................30
5.1.1 Monitoring of one ethernet port ....................................................................................................... 30
5.1.2 Monitoring of two ethernet ports ...................................................................................................... 32
5.2 Settings for recording with Wireshark ..........................................................................................32
5.3 Recording network traffic .............................................................................................................36
5.4 Capturing and analysing network traffic .......................................................................................37
5.4.1 Filters............................................................................................................................................... 38
5.4.2 Forward Open Service..................................................................................................................... 42
6 Appendix ...............................................................................................................................................45
6.1 List of Figures ...............................................................................................................................45
6.2 List of Tables ................................................................................................................................46
6.3 Bibliography..................................................................................................................................47
6.4 Contacts .......................................................................................................................................48
1 Introduction
1.1 About this Document
This manual contains installation and network recording instructions for the devices using the
Wireshark program. This manual will explain the basics and also some of the features that
Wireshark provides. As Wireshark has become a very complex program since the early days, only
the basic feature of Wireshark can be explained in this manual. By reading this manual, you will
learn how to install Wireshark, how to use the basic elements of the graphical user interface (such
as the menu) and what’s behind some of the advanced features that are not always obvious at first
sight.
Term Description
ARP Address Resolution Protocol
ASIC application-specific integrated circuit
ATM Asynchronous Transfer Mode
BSD Berkeley Software Distribution
CFI Canonical Format ID
CIP Common Industrial Protocol
DHCP Dynamic Host Configuration Protocol
DLR Device Level Ring
FDDI Fiber Distributed Data Interface
GNU Unix-like operating system
GUI graphical user interface
IEEE 802.1q networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network
IP Internet Protocol
IrDA Infrared Data Association
IRT Isochronous real time
LAN Local Area Network
macOS graphical operating systems
mbH mit begrentzter Haftung
PC Personal Computer
PCP Priority Code Point
PPP Point-to-Point Protocol
PTCP Precision Transparent Clock Protocol
RAM Random-Access Memory
RT Real Time
TCI Tag Control Information
TCP Transmission Control Protocol
TPID Tag Protocol Identifier
USB Universal Serial Bus
USBPcap open-source USB sniffer for Windows
VID Virtual Local Area Network ID (VLAN ID)
VLAN Virtual Local Area Network
WinPcap open source library for packet capture and network analysis for Windows
WLAN Wireless Local Area Network
PC with Wireshark
PC with Wireshark
Further information how the netANALYZER is used can be found in chapter 5.1: Hardware
structure for an EtherNet/IP data analysis.
3 Wireshark
3.1 Introduction
Wireshark (“wire” and “shark”) is a free and open source packet analyser. It is used for network
troubleshooting, analysis, software and communications protocol development, and education.
Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark
issues.
Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user
interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other
Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI)
version called TShark. Wireshark, and the other programs distributed with it such as TShark, are
free software, released under the terms of the GNU General Public License.
3.2 History
In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn
more about networking so he started writing Ethereal (the original name of the Wireshark project)
as a way to solve both problems.
Ethereal was initially released after several pauses in development in July 1998 as version 0.2.0.
Within day’s patches, bug reports, and words of encouragement started arriving and Ethereal was
on its way to success.
Not long, after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it.
In October, 1998 Guy Harris was looking for something better than tcpview so he started applying
patches and contributing dissectors to Ethereal.
In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses
and started looking at it to see if it supported the protocols he needed. While it did not at that point
new protocols could be easily added. Therefore, he started contributing dissectors and contributing
patches.
The list of people who have contributed to the project has become very long since then, and almost
all of them started with a protocol that they needed that Wireshark or did not already handle.
Therefore, they copied an existing dissector and contributed the code back to the team.
When Gerald Combs switched from Ethereal Software Inc. to CACE Technologies, he launched
his own follow-up project and named it in 2006 Wireshark.
In 2006, the project moved house and re-emerged under a new name: Wireshark.
The first version of Wireshark was released on June 7, 2006 with the version number 0.99.1. The
precursor, Ethereal, is still available in version 0.99.0, but is no longer being developed.
In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release was
the first deemed complete, with the minimum features implemented. Its release coincided with the
first Wireshark Developer and User Conference, called Sharkfest.
Wireshark version 2.0 was released on November 19, 2015. The whole program was switched to
Qt and provided with a new, more intuitive interface. [1]
4 First Steps
4.1 Installing the Wireshark software
4.1.1 Overview
This section describes how to install the Wireshark software on your development PC.
If applicable:
Uninstall previous versions of Wireshark from your development PC
Click or unclick in front of the components you want to install, then click Next button.
Click or unclick in front of the additional tasks you want to set, then click Next button.
Accept the default path or click the Browse button to choose a different target directory for
your Wireshark installation, then click Next button.
Wireshark requires either Npcap or WinPcap to capture live network data. Use Add/Remove
Programs first to uninstall any undetected old WinPcap versions, then Check the box in
front Install WinPcap, then click Next button.
Wireshark requires either Npcap or WinPcap to capture live network data. Use Add/Remove
Programs first to uninstall any undetected old USBPcap versions, then Check the box in
front Install USBPcap, then click Next button.
Check the box in front of Automatically start the WinPcap driver at boot time, then click
Install button.
After successful WinPcap installation, the Completed WinPcap Setup Wizard message appears:
You have installed WinPcap on your PC. You now need to install the USBPcap packet capture, if
required.
Check the box in front of I accept the terms in the License Agreement, then click Next
button.
Check the box in front of I accept the terms in the License Agreement, then click Next
button.
Accept the selected default type of installation or change a different type for your USBPcap
installation, then click Next button.
Accept the default path or click the Browse button to choose a different target directory for
your USBPcap installation, then click Next button.
After successful USBPcap installation, the completed USBPcap Setup Wizard message appears:
After successful Wireshark installation, the Completing Wireshark Setup message appears:
You have installed Wireshark on your PC. You now need to reboot the development PC to
complete the installation.
The main window shows Wireshark as you would usually see it after some packets are captured or
loaded (how to do this will be described later).
Wireshark’s main window consists of parts that are commonly known from many other GUI
programs.
1. The menu (see 4.3.1: Menu) is used to start actions.
2. The main toolbar (see 4.3.2: Toolbar) provides quick access to frequently used items
from the menu.
3. The filter toolbar (see 5.4.1: Filters) provides a way to directly manipulate the currently
used display filter.
4. The packet list pane (see 4.3.3: “Packet List” Pane) displays a summary of each packet
captured. By clicking on packets in this pane you control what is displayed in the other
two panes.
5. The packet details pane (see 4.3.4: “Packet Details” Pane) displays the packet selected
in the packet list pane in more detail.
4.3.1 Menu
Wireshark’s main menu is located in Windows at the top of the main window. An example is shown
in Figure 27: The menu.
NOTE: Some menu items will be disabled (greyed out) if the corresponding feature isn’t
available. For example, you cannot save a capture file if you haven’t captured or
loaded any packets.
4.3.2 Toolbar
The main toolbar provides quick access to frequently used items from the menu. This toolbar
cannot be customized by the user, but it can be hidden using the View menu if the space on the
screen is needed to show more packet data.
Items in the toolbar will be enabled or disabled (greyed out) similar to their corresponding menu
items. For example, in the image below shows the main window toolbar after a file has been
opened. Various file-related buttons are enabled, but the stop capture button is disabled because a
capture is not in progress.
Each line in the packet list corresponds to one packet in the capture file. If you select a line in this
pane, more details will be displayed in 4.3.4 “Packet Details” Pane and 4.3.5 “Packet Bytes” Pane
This pane shows the protocols and protocol fields of the packet selected in 4.3.3: “Packet List”
Pane.
The protocols and fields of the packet shown in a tree, which can be expanded and collapsed. [8]
Additional pages typically contain data reassembled from multiple packets or decrypted data.
The context menu (right mouse click) of the tab labels will show a list of all available pages. This
can be helpful if the size in the pane is too small for all the tab labels. [9]
5 EtherNet/IP
5.1 Hardware structure for an EtherNet/IP data analysis
5.1.1 Monitoring of one ethernet port
A simple setup to monitoring one ethernet port requires an ethernet hub or alternatively a managed
switch. Using an ethernet switch, port connected to the PC’s ethernet adapter must be configured
as a mirror port. Using the switch management, you can select both the monitoring port and assign
a specific port you wish to monitor. Actual procedures vary between switch models. You may need
to use a terminal emulator, specialized SNMP client software or a Web browser. Caution: the
monitoring port must be at least as fast as the monitored port, or you will certainly lose packets.
Note that some switches might not support monitoring all traffic passing through the switch, only
traffic on a particular port. On those switches, you might not be able to capture all traffic on the
network, only traffic sent to or from some particular machine on the switch.
In the following there are two ways to build the hardware to accommodate a Wireshark trace.
PC with Wireshark
Port mirroring is used on a network switch to send a copy of network packets seen on one switch
port (or an entire VLAN) to a network monitoring connection on another switch port.
With netANALYZER, you can record EtherNet/IP process data and important communication
events of individual devices simply and without the need for parameterization. Connect the
netANALYZER to the EtherNet/IP network and record the connection between Scanner and
Adapter with Wireshark or the included netANALYZER Scope software.
EtherNet/IP Scanner
PC with Wireshark
Adapter
Adapter
Hub / Hub /
Managed Switch Managed Switch
A connection with Ethernet 2 should be established. To do this, all remaining connections must be
disconnected so that all TCP/IP protocols of unused Ethernet interfaces will not send.
In the Network Connections window, click on the desired connection, which should not establish
communication with Wireshark.
Then select Disable this network device.
Disable all unused connections until only one connection remains.
DHCP must not be activated in the TCP/IP protocol properties, as otherwise Ethernet telegrams
will also be sent sporadically via the same interface. For this purpose, DHCP is deactivated in the
Internet protocol by assigning a fixed IP address.
Double-click on the desired connection in the Network Connections window.
The window status opens.
After selecting Internet Protocol version 4 (TCP/IPv4), click the Properties button.
Now enter a fixed IP address.
Adapter Adapter
netANALYZER
EtherNet/IP Scanner
Figure 41: Recording Scenario with netANALYZER Scope between Scanner and Adapter
Figure 42: Typical Application - The communication between a device and its connection
For devices with two Ethernet channels the analyser card NANL-C500-RE and the analyser device
NANL-B500G-RE capture the Ethernet frames and adds the time stamps to them. Therefore, the
netANALYZER device must be connected from any TAP to the Ethernet device connections via
two patch cables.
5.4.1 Filters
For better overview irrelevant frames may be faded out by using filters. Some essential filters are
explained here.
5.4.1.2 ARP
Once the device has an IP address, it checks if the IP address isn’t allocated to another device on
the bus, using four ARP (who has) frames. If no reply has been received, the device requests with
two Gratuitous ARP frames to resolve its own IP address.
With “cipcm” only connection manager services like Forward Open and Forward Close are visible.
5.4.1.4 DLR
Device Level Ring consist mostly of Beacon and Announce frames which contain the current ring
status.
To see VLAN tags in the frames the ethernet adapter needs proper setup, VLAN filtering has to be
disabled.
To make an EtherNet/IP adapter send VLAN tags, 802.1Q Tag must be enabled by setting
attribute 1 of QoS object to “1” and power cycling of the device.
Now you are able to see VLAN tag in your wireshark trace.
Knowing connection timeout value (4x500ms) makes it possible to retrace the cause, of why
device aborted the communication. In the Figure 55: Connection timeout the last implicit data
frame was sent by adapter (connection target) with IP address 192.168.0.42, this frame is two
seconds after last implicit data frame of the connection originator with IP address 192.168.0.1, the
connection timed out because the connection originator stopped sending data, the trouble causing
device is the connection originator.
6 Appendix
6.1 List of Figures
Figure 1: Network Capture with Port-mirroring switch ......................................................................................................... 7
Figure 2: Network Capture with netANALYZER .................................................................................................................. 8
Figure 3: Official logo of the Wireshark Company ............................................................................................................. 11
Figure 4: Download the Wireshark installer ....................................................................................................................... 13
Figure 5: Setup Wireshark start screen ............................................................................................................................. 14
Figure 6: End-User License Agreement screen ................................................................................................................ 14
Figure 7: Wireshark components screen ........................................................................................................................... 15
Figure 8: Wireshark additional tasks screen...................................................................................................................... 15
Figure 9: Installation path dialog window .......................................................................................................................... 16
Figure 10: Wireshark packet capture window .................................................................................................................... 16
Figure 11: Wireshark USB capture window ....................................................................................................................... 17
Figure 12: Wireshark installing screen .............................................................................................................................. 17
Figure 13: Setup WinPcap start screen ............................................................................................................................. 18
Figure 14: WinPcap License Agreement screen ............................................................................................................... 18
Figure 15: WinPcap Installation options screen ................................................................................................................ 19
Figure 16: WinPcap installing screen ................................................................................................................................ 19
Figure 17: WinPcap Setup completed window .................................................................................................................. 20
Figure 18: First USBPcap License Agreement screen ...................................................................................................... 20
Figure 19: Second USBPcap License Agreement screen ................................................................................................. 21
Figure 20: USBPcap installation options ........................................................................................................................... 21
Figure 21: USBPcap installation folder .............................................................................................................................. 22
Figure 22: USBPcap installing screen ............................................................................................................................... 22
Figure 23: Wireshark installing screen .............................................................................................................................. 23
Figure 24: Installation complete screen ............................................................................................................................. 23
Figure 25: Setup completed window ................................................................................................................................. 24
Figure 26: Wireshark welcome screen .............................................................................................................................. 26
Figure 27: The menu ......................................................................................................................................................... 27
Figure 28: The Wireshark toolbar ...................................................................................................................................... 27
Figure 29: The "Packet List" Pane .................................................................................................................................... 27
Figure 30: The "Packet Details" pane................................................................................................................................ 28
Figure 31: The “Packet Bytes” pane with tabs ................................................................................................................... 29
Figure 32: Network Capture with Port-mirroring switch ..................................................................................................... 30
Figure 33: Network Capture with netANALYZER .............................................................................................................. 31
Figure 34: Network Capture with Port-mirroring switch ..................................................................................................... 32
Figure 35: Run window...................................................................................................................................................... 33
Figure 36: Network Connections screen ........................................................................................................................... 33
Figure 37: Network connection screen with one connection ............................................................................................. 34
Figure 38: Status of the network connection ..................................................................................................................... 34
Figure 39: Properties of the network connection ............................................................................................................... 35
Figure 40: Properties of Internet Protocol version 4 (TCP/IPv4) ....................................................................................... 35
Figure 41: Recording Scenario with netANALYZER Scope between Scanner and Adapter ............................................. 37
Figure 42: Typical Application - The communication between a device and its connection .............................................. 37
Figure 43: DHCP/BootP filter ............................................................................................................................................ 38
Figure 44: ARP filter .......................................................................................................................................................... 38
Figure 45: ENIP filter ......................................................................................................................................................... 38
Figure 46: CIP filter ........................................................................................................................................................... 39
Figure 47: CIPCM filter ...................................................................................................................................................... 39
Figure 48: CIPIO filter........................................................................................................................................................ 39
Figure 49: DLR filter .......................................................................................................................................................... 39
Figure 50: Sign_On filter ................................................................................................................................................... 40
Figure 51: Disable VLAN filtering ...................................................................................................................................... 40
Figure 52: Enable 802.1Q Tag .......................................................................................................................................... 41
Figure 53: VLAN tag .......................................................................................................................................................... 41
Figure 54: Forward Open frame ........................................................................................................................................ 42
Figure 55: Connection timeout .......................................................................................................................................... 43
6.3 Bibliography
[1] Wireshark. (n.d.). 1.4. A brief history of Wireshark. Retrieved April 25, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html.
[2] 3.3. The Main window. (n.d.). Retrieved April 26, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChUseMainWindowSection.html.
[3] DCE/RPC - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from
https://wiki.wireshark.org/DCE/RPC.
[4] PROFINET/RT - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from
https://wiki.wireshark.org/PROFINET/RT.
[5] Zhang, L., Streubühr, M., Glaß, M., Teich, J., von Schwerin, A., & Liu, K. (2012). System-Level
Modeling and Simulation of Networked PROFINET IO Controllers. In Proc. of the Embedded
World Conference. Nuremberg, DE: Kissingen, Germany: WEKA Fachzeitschriften Verlag.
[6] AddressResolutionProtocol - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from
https://wiki.wireshark.org/AddressResolutionProtocol.
[7] 3.17. The “Packet List” Pane. (n.d.). Retrieved April 26, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketListPaneSection.html.
[8] 3.18. The “Packet Details” Pane. (n.d.). Retrieved April 26, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html
[9] 3.19. The “Packet Bytes” Pane. (n.d.). Retrieved April 26, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketBytesPaneSection.html
6.4 Contacts
Headquarters
Germany
Hilscher Gesellschaft für
Systemautomation mbH
Rheinstrasse 15
65795 Hattersheim
Phone: +49 (0) 6190 9907-0
Fax: +49 (0) 6190 9907-50
E-Mail: info@hilscher.com
Support
Phone: +49 (0) 6190 9907-99
E-Mail: de.support@hilscher.com
Subsidiaries
China Japan
Hilscher Systemautomation (Shanghai) Co. Ltd. Hilscher Japan KK
200010 Shanghai Tokyo, 160-0022
Phone: +86 (0) 21-6355-5161 Phone: +81 (0) 3-5362-0521
E-Mail: info@hilscher.cn E-Mail: info@hilscher.jp
Support Support
Phone: +86 (0) 21-6355-5161 Phone: +81 (0) 3-5362-0521
E-Mail: cn.support@hilscher.com E-Mail: jp.support@hilscher.com
France Korea
Hilscher France S.a.r.l. Hilscher Korea Inc.
69500 Bron Suwon, 443-810
Phone: +33 (0) 4 72 37 98 40 Phone: +82-31-204-6190
E-Mail: info@hilscher.fr E-Mail: info@hilscher.kr
Support
Phone: +33 (0) 4 72 37 98 40 Switzerland
E-Mail: fr.support@hilscher.com Hilscher Swiss GmbH
4500 Solothurn
India Phone: +41 (0) 32 623 6633
Hilscher India Pvt. Ltd. E-Mail: info@hilscher.ch
New Delhi - 110 025 Support
Phone: +91 11 40515640 Phone: +49 (0) 6190 9907-99
E-Mail: info@hilscher.in E-Mail: ch.support@hilscher.com
Italy USA
Hilscher Italia srl Hilscher North America, Inc.
20090 Vimodrone (MI) Lisle, IL 60532
Phone: +39 02 25007068 Phone: +1 630-505-5301
E-Mail: info@hilscher.it E-Mail: info@hilscher.us
Support Support
Phone: +39 02 25007068 Phone: +1 630-505-5301
E-Mail: it.support@hilscher.com E-Mail: us.support@hilscher.com