DOC190403AN02EN

Application Note
Capturing EtherNet/IP with Wireshark
www.hilscher.com
DOC190403AN01EN | Revision 2 | English | 2020-02 | Released | Public
Introduction 2/48
Table of Contents
1 Introduction ............................................................................................................................................. 3
1.1 About this Document ...................................................................................................................... 3
1.2 List of Revisions ............................................................................................................................. 3
1.3 Terms, Abbreviations and Definitions ............................................................................................ 4
1.4 Legal Notes .................................................................................................................................... 5
1.4.1 Copyright ........................................................................................................................................... 5
1.4.2 Important Notes ................................................................................................................................. 5
1.4.3 Exclusion of Liability .......................................................................................................................... 6
1.4.4 Export Regulations ............................................................................................................................ 6
1.4.5 Registered Trademarks ..................................................................................................................... 6
2 Descriptions and Requirements ........................................................................................................... 7
2.1 Descriptions.................................................................................................................................... 7
2.2 Structure for network recording ...................................................................................................... 7
2.3 Network capturing .......................................................................................................................... 8
3 Wireshark ..............................................................................................................................................10
3.1 Introduction...................................................................................................................................10
3.2 History ..........................................................................................................................................10
3.3 Technical Details ..........................................................................................................................11
4 First Steps .............................................................................................................................................12
4.1 Installing the Wireshark software .................................................................................................12
4.1.1 Overview ......................................................................................................................................... 12
4.1.2 Requirements for installing Wireshark ............................................................................................. 12
4.1.3 Where to get Wireshark ................................................................................................................... 13
4.1.4 Step-by-Step instructions ................................................................................................................ 13
4.1.5 Update Wireshark ............................................................................................................................ 24
4.1.6 Update WinPcap ............................................................................................................................. 24
4.1.7 Update USBPcap ............................................................................................................................ 24
4.1.8 Uninstall Wireshark.......................................................................................................................... 25
4.1.9 Uninstall WinPcap ........................................................................................................................... 25
4.1.10 Uninstall USBPcap .......................................................................................................................... 25
4.2 Start Wireshark.............................................................................................................................26
4.3 Welcome Screen ..........................................................................................................................26
4.3.1 Menu ............................................................................................................................................... 27
4.3.2 Toolbar ............................................................................................................................................ 27
4.3.3 “Packet List” Pane ........................................................................................................................... 27
4.3.4 “Packet Details” Pane ...................................................................................................................... 28
4.3.5 “Packet Bytes” Pane ........................................................................................................................ 28
5 EtherNet/IP ............................................................................................................................................30
5.1 Hardware structure for an EtherNet/IP data analysis...................................................................30
5.1.1 Monitoring of one ethernet port ....................................................................................................... 30
5.1.2 Monitoring of two ethernet ports ...................................................................................................... 32
5.2 Settings for recording with Wireshark ..........................................................................................32
5.3 Recording network traffic .............................................................................................................36
5.4 Capturing and analysing network traffic .......................................................................................37
5.4.1 Filters............................................................................................................................................... 38
5.4.2 Forward Open Service..................................................................................................................... 42
6 Appendix ...............................................................................................................................................45
6.1 List of Figures ...............................................................................................................................45
6.2 List of Tables ................................................................................................................................46
6.3 Bibliography..................................................................................................................................47
6.4 Contacts .......................................................................................................................................48

DOC190403AN01EN | Revision 2 | English | 2020-02 | Released | Public © Hilscher, 2019-2020
Introduction 3/48
1 Introduction
1.1 About this Document
This manual contains installation and network recording instructions for the devices using the
Wireshark program. This manual will explain the basics and also some of the features that
Wireshark provides. As Wireshark has become a very complex program since the early days, only
the basic feature of Wireshark can be explained in this manual. By reading this manual, you will
learn how to install Wireshark, how to use the basic elements of the graphical user interface (such
as the menu) and what’s behind some of the advanced features that are not always obvious at first
sight.
1.2 List of Revisions

Table 1: List of Revisions
Rev Date Chapter Revisions

1 22.10.2019 all created
2 17.02.2020 footer Document name corrected

Introduction 4/48
1.3 Terms, Abbreviations and Definitions

Table 2: Terms, Abbreviations and Definitions
Term Description
ARP Address Resolution Protocol
ASIC application-specific integrated circuit
ATM Asynchronous Transfer Mode
BSD Berkeley Software Distribution
CFI Canonical Format ID
CIP Common Industrial Protocol
DHCP Dynamic Host Configuration Protocol
DLR Device Level Ring
FDDI Fiber Distributed Data Interface
GNU Unix-like operating system
GUI graphical user interface
IEEE 802.1q networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network
IP Internet Protocol
IrDA Infrared Data Association
IRT Isochronous real time
LAN Local Area Network
macOS graphical operating systems
mbH mit begrentzter Haftung
PC Personal Computer
PCP Priority Code Point
PPP Point-to-Point Protocol
PTCP Precision Transparent Clock Protocol
RAM Random-Access Memory
RT Real Time
TCI Tag Control Information
TCP Transmission Control Protocol
TPID Tag Protocol Identifier
USB Universal Serial Bus
USBPcap open-source USB sniffer for Windows
VID Virtual Local Area Network ID (VLAN ID)
VLAN Virtual Local Area Network
WinPcap open source library for packet capture and network analysis for Windows
WLAN Wireless Local Area Network

Introduction 5/48
1.4 Legal Notes

1.4.1 Copyright
© Hilscher Gesellschaft für Systemautomation mbH
All rights reserved.
The images, photographs and texts in the accompanying material (user manual, accompanying
texts, documentation, etc.) are protected by German and international copyright law as well as
international trade and protection provisions. You are not authorized to duplicate these in whole or
in part using technical or mechanical methods (printing, photocopying or other methods), to
manipulate or transfer using electronic systems without prior written consent. You are not permitted
to make changes to copyright notices, markings, trademarks or ownership declarations. The
included diagrams do not take the patent situation into account. The company names and product
descriptions included in this document may be trademarks or brands of the respective owners and
may be trademarked or patented. Any form of further use requires the explicit consent of the
respective rights owner.
1.4.2 Important Notes

The user manual, accompanying texts and the documentation were created for the use of the
products by qualified experts, however, errors cannot be ruled out. For this reason, no guarantee
can be made and neither juristic responsibility for erroneous information nor any liability can be
assumed. Descriptions, accompanying texts and documentation included in the user manual do
not present a guarantee nor any information about proper use as stipulated in the contract or a
warranted feature. It cannot be ruled out that the user manual, the accompanying texts and the
documentation do not correspond exactly to the described features, standards or other data of the
delivered product. No warranty or guarantee regarding the correctness or accuracy of the
information is assumed.
We reserve the right to change our products and their specification as well as related user
manuals, accompanying texts and documentation at all times and without advance notice, without
obligation to report the change. Changes will be included in future manuals and do not constitute
any obligations. There is no entitlement to revisions of delivered documents. The manual delivered
with the product applies.
Hilscher Gesellschaft für Systemautomation mbH is not liable under any circumstances for direct,
indirect, incidental or follow-on damage or loss of earnings resulting from the use of the information
contained in this publication.

Introduction 6/48
1.4.3 Exclusion of Liability

The software was produced and tested with utmost care by Hilscher Gesellschaft für
Systemautomation mbH and is made available as is. No warranty can be assumed for the
performance and flawlessness of the software for all usage conditions and cases and for the
results produced when utilized by the user. Liability for any damages that may result from the use
of the hardware or software or related documents, is limited to cases of intent or grossly negligent
violation of significant contractual obligations. Indemnity claims for the violation of significant
contractual obligations are limited to damages that are foreseeable and typical for this type of
contract.
It is strictly prohibited to use the software in the following areas:
 for military purposes or in weapon systems;
 for the design, construction, maintenance or operation of nuclear facilities;
 in air traffic control systems, air traffic or air traffic communication systems;
 in life support systems;
 in systems in which failures in the software could lead to personal injury or injuries leading to
death.
We inform you that the software was not developed for use in dangerous environments requiring
fail-proof control mechanisms. Use of the software in such an environment occurs at your own risk.
No liability is assumed for damages or losses due to unauthorized use.
1.4.4 Export Regulations

The delivered product (including the technical data) is subject to export or import laws as well as
the associated regulations of different counters, in particular those of Germany and the USA. The
software may not be exported to countries where this is prohibited by the United States Export
Administration Act and its additional provisions. You are obligated to comply with the regulations at
your personal responsibility. We wish to inform you that you may require permission from state
authorities to export, re-export or import the product.
1.4.5 Registered Trademarks

Windows® 7, Windows® 8 and Windows® 10 are registered trademarks of Microsoft Corporation.
Wireshark® and the "fin" -Logo is a registered trademark of Gerald Combs.
Adobe-Acrobat® is a registered trademark of the Adobe Systems Incorporated.
EtherCAT® is a registered trademark of Beckhoff Automation GmbH, Verl, Germany, formerly
Elektro Beckhoff GmbH.
PROFIBUS® und PROFINET® are registered trademarks of PROFIBUS International, Karlsruhe.
All other mentioned trademarks are property of their respective legal owners.

Descriptions and Requirements 7/48
2 Descriptions and Requirements

2.1 Descriptions
This chapter describes the most important steps in short form for a recording with Wireshark.
Chapter 4: First Steps explains the steps how to download the Wireshark program. In addition, this
chapter describes how to update or uninstall Wireshark in addition to installing.
In the following, there is a closer look at the user interface of Wireshark and the most important
functions of the user interface are explained.
Chapter 5: EtherNet/IP starts into the EtherNet/IP topic and gives an overview and shows with an
example of how an analysis of the EtherNet/IP data frames works.
2.2 Structure for network recording

In the following you will find two possibilities to build the hardware to capture a Wireshark trace.
If no netANALYZER is available, the structure should be as follows:
PC with Wireshark
EtherNet/IP Scanner Hub / Adapter Adapter

Managed Switch
Figure 1: Network Capture with Port-mirroring switch

Further information on why port mirroring is used can be found in chapter 5.1 Hardware structure
for an EtherNet/IP data analysis.
For a recording with the netANALYZER, which captures all frames the structure is:
PC with Wireshark
Ethernet/IP Scanner netANALYZER Slave Slave
Figure 2: Network Capture with netANALYZER
Further information how the netANALYZER is used can be found in chapter 5.1: Hardware
structure for an EtherNet/IP data analysis.
2.3 Network capturing

Start the Wireshark capturing, after the preparation for a data analysis with Wireshark has been
made. In the following, you will find the steps to capture a trace in a short form:
 Switch off EtherNet/IP Scanner/Adapter
 Click on the button
 Switch on Scanner/Adapter
 Wait until Scanner/Adapter has booted up and exchanged data
 Stop capturing with the button
 Save capture with the button

For more detailed explanations, see chapter 5.3: Recording network traffic.

Wireshark 10/48
3 Wireshark
3.1 Introduction
Wireshark (“wire” and “shark”) is a free and open source packet analyser. It is used for network
troubleshooting, analysis, software and communications protocol development, and education.
Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark
issues.
Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user
interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other
Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI)
version called TShark. Wireshark, and the other programs distributed with it such as TShark, are
free software, released under the terms of the GNU General Public License.
3.2 History
In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn
more about networking so he started writing Ethereal (the original name of the Wireshark project)
as a way to solve both problems.
Ethereal was initially released after several pauses in development in July 1998 as version 0.2.0.
Within day’s patches, bug reports, and words of encouragement started arriving and Ethereal was
on its way to success.
Not long, after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it.
In October, 1998 Guy Harris was looking for something better than tcpview so he started applying
patches and contributing dissectors to Ethereal.
In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses
and started looking at it to see if it supported the protocols he needed. While it did not at that point
new protocols could be easily added. Therefore, he started contributing dissectors and contributing
patches.
The list of people who have contributed to the project has become very long since then, and almost
all of them started with a protocol that they needed that Wireshark or did not already handle.
Therefore, they copied an existing dissector and contributed the code back to the team.
When Gerald Combs switched from Ethereal Software Inc. to CACE Technologies, he launched
his own follow-up project and named it in 2006 Wireshark.
In 2006, the project moved house and re-emerged under a new name: Wireshark.
The first version of Wireshark was released on June 7, 2006 with the version number 0.99.1. The
precursor, Ethereal, is still available in version 0.99.0, but is no longer being developed.
In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release was
the first deemed complete, with the minimum features implemented. Its release coincided with the
first Wireshark Developer and User Conference, called Sharkfest.
Wireshark version 2.0 was released on November 19, 2015. The whole program was switched to
Qt and provided with a new, more intuitive interface. [1]

Wireshark 11/48
Figure 3: Official logo of the Wireshark Company
3.3 Technical Details

The Wireshark tool either displays the data in the form of individual packets during or after the
recording of data traffic from a network interface. The data is processed in a clearly arranged
manner with filters adapted to the respective protocols. Wireshark can also create statistics on the
data flow or use special filters to selectively extract binary content.
Network interfaces whose traffic can be analysed are primarily Ethernet with the various Internet
protocol families such as TCP/IP. In addition, Wireshark can also record and analyse wireless
traffic in the Wireless Local Area Network (WLAN) and Bluetooth connections. Using appropriate
modules, further common interfaces such as USB can be integrated into Wireshark. On Microsoft
Windows, Wireshark records traffic transparently using WinPcap. The prerequisite for this is
always that the respective computer on which Wireshark is operated has the corresponding
physical interfaces and the user has corresponding access authorizations for these interfaces.
In addition to the graphical Wireshark version, there is the TShark, which is based on the same
network code and is controlled by command line options. For both versions, the recording format of
the measured data was taken from tcpdump. Nevertheless, Wireshark can additionally import the
formats of other LAN analysers.

First Steps 12/48
4 First Steps
4.1 Installing the Wireshark software
4.1.1 Overview
This section describes how to install the Wireshark software on your development PC.
4.1.2 Requirements for installing Wireshark

General requirements
 Operating system: Windows® 10, Windows® 8/8.1, Windows® 7, Windows® Vista,
Windows® Server 2016, Windows® Server 2012 R2, Windows® Server 2012, Windows®
Server 2008 R2 or Windows® Server 2008
 Access to the internet is required for downloading “third-party” development tools like e.g.
WinPcap and USBPcap.
If applicable:
 Uninstall previous versions of Wireshark from your development PC
Hardware requirements of development PC

 Processor: Any modern 64-bit AMD64/x86-64 or 32-bit x86 processor.
 RAM: 400 Mbyte min., larger capture files require more RAM.
 Free hard disk space: 300 MByte min., Capture files require additional disk space.
 Graphic resolution: 1024 x 768 pixels (1280 × 1024 or higher recommended) resolution with
at least 16-bit colour. 8-bit colour should work but user experience will be degraded. Power
users will find multiple monitors useful.
 Network card: A supported network card for capturing
o Ethernet. Any card supported by Windows should work.
o 802.11. Capturing raw 802.11 information may be difficult without special
equipment.
o other media. These are ATM, Bluetooth, CiscoHDL, Ethernet, FDDI, FrameRelay,
IrDA, Loopback, ppp, TokenRing, USB, VLAN and WLAN.
Older versions of Windows, which are outside Microsoft’s extended lifecycle support window, are
no longer supported. It is often difficult or impossible to support these systems due to
circumstances beyond the control of Wireshark, such as third party libraries on which Wireshark
depend or due to necessary features that are only present in newer versions of Windows (such as
hardened security or memory management).

First Steps 13/48
4.1.3 Where to get Wireshark

You can get the latest copy of the program from the Wireshark website at
https://www.wireshark.org/download.html. The download page should automatically highlight the
appropriate download for your platform and direct you to the nearest mirror. The Wireshark
Foundation signs official Windows and macOS installers.
A new Wireshark version typically becomes available each month or two.
4.1.4 Step-by-Step instructions

Windows installer names contain the platform and version. For example, Wireshark-win64-
2.9.0.exe installs Wireshark 2.9.0 for 64-bit Windows. The Wireshark installer includes WinPcap,
which is required for packet capture.
Simply download the Wireshark installer from https://www.wireshark.org/download.html and
execute it. The Wireshark Foundation signs official packages. You can choose to install several
optional components and select the location of the installed package. The default settings are
recommended for most users.
Download Wireshark on your development PC.
Figure 4: Download the Wireshark installer
Install Wireshark on your development PC.

 Double-click the Wireshark installer Wireshark-winXX-X.X.X.exe file.

First Steps 14/48
The Wireshark setup starts:
Figure 5: Setup Wireshark start screen
 Click Next button.
The End-User License Agreement window opens:
Figure 6: End-User License Agreement screen
 Click I Agree button.

First Steps 15/48
Figure 7: Wireshark components screen
 Click or unclick in front of the components you want to install, then click Next button.
Figure 8: Wireshark additional tasks screen
 Click or unclick in front of the additional tasks you want to set, then click Next button.

First Steps 16/48
The destination folder dialog opens:
Figure 9: Installation path dialog window
 Accept the default path or click the Browse button to choose a different target directory for
your Wireshark installation, then click Next button.
Figure 10: Wireshark packet capture window
 Wireshark requires either Npcap or WinPcap to capture live network data. Use Add/Remove
Programs first to uninstall any undetected old WinPcap versions, then Check the box in
front Install WinPcap, then click Next button.

First Steps 17/48
Figure 11: Wireshark USB capture window
 Wireshark requires either Npcap or WinPcap to capture live network data. Use Add/Remove
Programs first to uninstall any undetected old USBPcap versions, then Check the box in
front Install USBPcap, then click Next button.
The Installing Wireshark window opens:
Figure 12: Wireshark installing screen

First Steps 18/48
The WinPcap Setup Wizard starts:
Figure 13: Setup WinPcap start screen
 Click Next button.
The WinPcap License Agreement window opens:
Figure 14: WinPcap License Agreement screen
 Click I Agree button.

First Steps 19/48
Figure 15: WinPcap Installation options screen
 Check the box in front of Automatically start the WinPcap driver at boot time, then click
Install button.
Figure 16: WinPcap installing screen

First Steps 20/48
After successful WinPcap installation, the Completed WinPcap Setup Wizard message appears:
Figure 17: WinPcap Setup completed window
 Click Finish button.
You have installed WinPcap on your PC. You now need to install the USBPcap packet capture, if
required.
The USBPcap License Agreement window opens:
Figure 18: First USBPcap License Agreement screen
 Check the box in front of I accept the terms in the License Agreement, then click Next
button.

First Steps 21/48
The second USBPcap License Agreement window opens:
Figure 19: Second USBPcap License Agreement screen
 Check the box in front of I accept the terms in the License Agreement, then click Next
button.
Figure 20: USBPcap installation options
 Accept the selected default type of installation or change a different type for your USBPcap
installation, then click Next button.

First Steps 22/48
The destination folder dialog opens:
Figure 21: USBPcap installation folder
 Accept the default path or click the Browse button to choose a different target directory for
your USBPcap installation, then click Next button.
After successful USBPcap installation, the completed USBPcap Setup Wizard message appears:
Figure 22: USBPcap installing screen
 Click Close button.

First Steps 23/48
The Installing Wireshark window opens:
Figure 23: Wireshark installing screen
Wireshark is being installed on your development PC.
Figure 24: Installation complete screen

First Steps 24/48
After successful Wireshark installation, the Completing Wireshark Setup message appears:
Figure 25: Setup completed window
 Click Finish button.
You have installed Wireshark on your PC. You now need to reboot the development PC to
complete the installation.
4.1.5 Update Wireshark

By default, the official Windows package will check for new versions and notify you when they are
available.
New versions of Wireshark are usually released every four to six weeks. Updating Wireshark is
done the same way as installing it. Simply download and start the installer exe. A reboot is usually
not required and all your personal settings remain unchanged.
4.1.6 Update WinPcap

New versions of WinPcap are less frequently available. You will find WinPcap update instructions
the WinPcap web site at https://www.winpcap.org. You may have to reboot your machine after
installing a new WinPcap version.
4.1.7 Update USBPcap

New versions of USBPcap are less frequently available. You will find USBPcap update instructions
the USBPcap web site at https://desowin.org/usbpcap. You may have to reboot your machine after
installing a new WinPcap version.

First Steps 25/48
4.1.8 Uninstall Wireshark
You can uninstall Wireshark using the Programs and Features control panel. Select the
“Wireshark” entry to start the uninstallation procedure.
The Wireshark uninstaller provides several options for removal. The default is to remove the core
components but keep your personal settings, USBPcap and WinPcap. USBPcap and WinPcap are
left installed by default in case other programs need it.
4.1.9 Uninstall WinPcap

You can uninstall WinPcap independently of Wireshark using the WinPcap entry in the Programs
and Features control panel. Remember that if you uninstall WinPcap you won’t be able to capture
anything with Wireshark.
4.1.10 Uninstall USBPcap

You can uninstall USBPcap independently of Wireshark using the USBPcap entry in the Programs
and Features control panel. Remember that if you uninstall USBPcap you won’t be able to capture
USB traffic with Wireshark.

First Steps 26/48
4.2 Start Wireshark

In the following chapters, some screenshots from Wireshark will be shown. As Wireshark runs on
many different platforms with many different window managers, different styles applied and there
are different versions of the underlying GUI toolkit used, your screen might look different from the
provided screenshots. But as there are no real differences in functionality these screenshots
should still be well understandable.
4.3 Welcome Screen

After starting Wireshark, the following window opens:
Figure 26: Wireshark welcome screen
The main window shows Wireshark as you would usually see it after some packets are captured or
loaded (how to do this will be described later).
Wireshark’s main window consists of parts that are commonly known from many other GUI
programs.
1. The menu (see 4.3.1: Menu) is used to start actions.
2. The main toolbar (see 4.3.2: Toolbar) provides quick access to frequently used items
from the menu.
3. The filter toolbar (see 5.4.1: Filters) provides a way to directly manipulate the currently
used display filter.
4. The packet list pane (see 4.3.3: “Packet List” Pane) displays a summary of each packet
captured. By clicking on packets in this pane you control what is displayed in the other
two panes.
5. The packet details pane (see 4.3.4: “Packet Details” Pane) displays the packet selected
in the packet list pane in more detail.

First Steps 27/48
6. The packet bytes pane (see 4.3.5: “Packet Bytes” Pane) displays the data from the
packet selected in the packet list pane, and highlights the field selected in the packet
details pane.
7. The status bar shows some detailed information about the current program state and the
captured data. [2]
4.3.1 Menu
Wireshark’s main menu is located in Windows at the top of the main window. An example is shown
in Figure 27: The menu.
NOTE: Some menu items will be disabled (greyed out) if the corresponding feature isn’t
available. For example, you cannot save a capture file if you haven’t captured or
loaded any packets.
Figure 27: The menu
4.3.2 Toolbar
The main toolbar provides quick access to frequently used items from the menu. This toolbar
cannot be customized by the user, but it can be hidden using the View menu if the space on the
screen is needed to show more packet data.
Items in the toolbar will be enabled or disabled (greyed out) similar to their corresponding menu
items. For example, in the image below shows the main window toolbar after a file has been
opened. Various file-related buttons are enabled, but the stop capture button is disabled because a
capture is not in progress.
Figure 28: The Wireshark toolbar
4.3.3 “Packet List” Pane

The packet list pane displays all the packets in the current capture file.
Figure 29: The "Packet List" Pane
Each line in the packet list corresponds to one packet in the capture file. If you select a line in this
pane, more details will be displayed in 4.3.4 “Packet Details” Pane and 4.3.5 “Packet Bytes” Pane

First Steps 28/48
While dissecting a packet, Wireshark will place information from the protocol dissectors into the
columns. As higher level protocols might overwrite information from lower levels, you will typically
see the information from the highest possible level only.
There are a lot of different columns available.
The default columns will show:
 [ No. ] The number of the packet in the capture file. This number won’t change,
even if a display filter is used.
 [ Time ] The timestamp of the packet. The presentation format of this timestamp
can be changed.
 [ Source ] The address where this packet is coming from.
 [ Destination ] The address where this packet is going to.
 [ Protocol ] The protocol name in a short (perhaps abbreviated) version.
 [ Length ] The length of each packet.
 [ Info ] Additional information about the packet content. [7]
4.3.4 “Packet Details” Pane

The packet details pane shows the current packet (selected in Figure 30: The "Packet Details"
pane) in a more detailed form.
Figure 30: The "Packet Details" pane
This pane shows the protocols and protocol fields of the packet selected in 4.3.3: “Packet List”
Pane.
The protocols and fields of the packet shown in a tree, which can be expanded and collapsed. [8]
4.3.5 “Packet Bytes” Pane

The “Packet Bytes” pane shows a hex dump of the packet data. Each line contains the data offset,
sixteen hexadecimal bytes, and sixteen ASCII bytes. Non-printable bytes are replaced with a
period (“.”).

First Steps 29/48
Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark
has reassembled some packets into a single chunk of data. In this case you can see each data
source by clicking its corresponding tab at the bottom of the pane.
Figure 31: The “Packet Bytes” pane with tabs
Additional pages typically contain data reassembled from multiple packets or decrypted data.
The context menu (right mouse click) of the tab labels will show a list of all available pages. This
can be helpful if the size in the pane is too small for all the tab labels. [9]

EtherNet/IP 30/48
5 EtherNet/IP
5.1 Hardware structure for an EtherNet/IP data analysis
5.1.1 Monitoring of one ethernet port
A simple setup to monitoring one ethernet port requires an ethernet hub or alternatively a managed
switch. Using an ethernet switch, port connected to the PC’s ethernet adapter must be configured
as a mirror port. Using the switch management, you can select both the monitoring port and assign
a specific port you wish to monitor. Actual procedures vary between switch models. You may need
to use a terminal emulator, specialized SNMP client software or a Web browser. Caution: the
monitoring port must be at least as fast as the monitored port, or you will certainly lose packets.
Note that some switches might not support monitoring all traffic passing through the switch, only
traffic on a particular port. On those switches, you might not be able to capture all traffic on the
network, only traffic sent to or from some particular machine on the switch.
In the following there are two ways to build the hardware to accommodate a Wireshark trace.
PC with Wireshark
EtherNet/IP Scanner Hub / Adapter Adapter

Managed Switch
Port mirroring is used on a network switch to send a copy of network packets seen on one switch
port (or an entire VLAN) to a network monitoring connection on another switch port.

EtherNet/IP 31/48
We use port mirroring to analyse problems with a device or network load or to diagnose faults. It
can be used to mirror inbound or outbound traffic (or both) on one or more interfaces.
PC with Wireshark
Ethernet/IP Scanner netANALYZER Adapter Adapter
Figure 33: Network Capture with netANALYZER
With netANALYZER, you can record EtherNet/IP process data and important communication
events of individual devices simply and without the need for parameterization. Connect the
netANALYZER to the EtherNet/IP network and record the connection between Scanner and
Adapter with Wireshark or the included netANALYZER Scope software.

EtherNet/IP 32/48
5.1.2 Monitoring of two ethernet ports

To monitor all incoming and outgoing frames of one device, wired in a chain with other devices, it
has to be connected with two hubs in the following way:
There are two ethernet adapters on the PC side necessary, traced by two individual (or one
common) Wireshark instances.
EtherNet/IP Scanner
PC with Wireshark
and 2 ethernet ports
Adapter
Adapter
Hub / Hub /
Managed Switch Managed Switch
5.2 Settings for recording with Wireshark

In order to ensure that the most important Ethernet telegrams are recorded, all the TCP/IP
protocols of unused Ethernet interfaces must be deactivated during the Ethernet measurement
with Wireshark.
Press the keyboard shortcut [Windows - R] to display the Run window.

EtherNet/IP 33/48
The Run window starts:
Figure 35: Run window
 Enter the command ncpa.cpl

 Click OK button.
This command opens the network connections on your Windows PC.

All network connections opens.
Figure 36: Network Connections screen
A connection with Ethernet 2 should be established. To do this, all remaining connections must be
disconnected so that all TCP/IP protocols of unused Ethernet interfaces will not send.
In the Network Connections window, click on the desired connection, which should not establish
communication with Wireshark.
Then select Disable this network device.
Disable all unused connections until only one connection remains.

EtherNet/IP 34/48
Figure 37: Network connection screen with one connection
DHCP must not be activated in the TCP/IP protocol properties, as otherwise Ethernet telegrams
will also be sent sporadically via the same interface. For this purpose, DHCP is deactivated in the
Internet protocol by assigning a fixed IP address.
Double-click on the desired connection in the Network Connections window.
The window status opens.
Figure 38: Status of the network connection

EtherNet/IP 35/48
Click the button Properties in the bottom left of the Status window.
The window Properties opens.
Figure 39: Properties of the network connection
After selecting Internet Protocol version 4 (TCP/IPv4), click the Properties button.
Now enter a fixed IP address.
Figure 40: Properties of Internet Protocol version 4 (TCP/IPv4)

EtherNet/IP 36/48
5.3 Recording network traffic

After this preparation for the data analysis with Wireshark has been made, the capturing starts. For
this it is advantageous if unnecessary packages will not be captured.
To avoid errors in the configuration of the device, the trace should be started before the device is
started. For this purpose, the recorded device should be turned off first, if possible.
Then the program Wireshark is started and with the click on the button the network traffic will
be recorded.
Afterwards, the device should be turned on while the network recording is still running and record
the device boot-up.
The recording can be stopped in the toolbar with the symbol .
To save the recording, click on "File" in the upper left corner and then on "Save as ...“ use the key
combination Ctrl + S or click on the symbol .
Then enter a name and the location and confirm it.

EtherNet/IP 37/48
5.4 Capturing and analysing network traffic

The netANALYZER, switched in-between two devices as illustrated in the figure below, passively
captures ethernet traffic. The output of the capturing is a Wireshark trace which contains all
transmitted ethernet frames with a time stamp.
Adapter Adapter
netANALYZER
EtherNet/IP Scanner
Figure 41: Recording Scenario with netANALYZER Scope between Scanner and Adapter
Cabling can be done as follows:
Figure 42: Typical Application - The communication between a device and its connection
For devices with two Ethernet channels the analyser card NANL-C500-RE and the analyser device
NANL-B500G-RE capture the Ethernet frames and adds the time stamps to them. Therefore, the
netANALYZER device must be connected from any TAP to the Ethernet device connections via
two patch cables.

EtherNet/IP 38/48
5.4.1 Filters
For better overview irrelevant frames may be faded out by using filters. Some essential filters are
explained here.
5.4.1.1 DHCP / BootP

Devices can be configured to obtain IP addresses from bootp/dhcp server, in this case the first two
respectively four frames from and to EIP device belong to BootP/DHCP negotiation.
Filter to use: dhcp (old filter: bootp)
Figure 43: DHCP/BootP filter
5.4.1.2 ARP
Once the device has an IP address, it checks if the IP address isn’t allocated to another device on
the bus, using four ARP (who has) frames. If no reply has been received, the device requests with
two Gratuitous ARP frames to resolve its own IP address.
Figure 44: ARP filter
5.4.1.3 ENIP / CIP / CIPCM / CIPIO

With “enip” most EtherNet/IP relevant frames are visible, including cip services and process data.
Figure 45: ENIP filter

EtherNet/IP 39/48
Using “cip“ filter, only CIP (Common Industrial Protocol) services are visible, also including
connection manager messages, process data frames are hidden.
Figure 46: CIP filter
With “cipcm” only connection manager services like Forward Open and Forward Close are visible.
Figure 47: CIPCM filter
For process data only use “cipio”
Figure 48: CIPIO filter
5.4.1.4 DLR
Device Level Ring consist mostly of Beacon and Announce frames which contain the current ring
status.
Figure 49: DLR filter

EtherNet/IP 40/48
The information which devices are present in the ring can be extracted from the Sign_on frame,
use the following filter: “enip.dlr.frametype==Sign_on”. Tracing at both ports of a device the
Sign_On frames differ in the own MAC entry.
Figure 50: Sign_On filter
To see VLAN tags in the frames the ethernet adapter needs proper setup, VLAN filtering has to be
disabled.
Figure 51: Disable VLAN filtering

EtherNet/IP 41/48
Note, not all ethernet adapters are able to pass VLAN tags to the driver, with such adapters
disabling filtering of VLAN has no effect, VLAN tags remain invisible.
To make an EtherNet/IP adapter send VLAN tags, 802.1Q Tag must be enabled by setting
attribute 1 of QoS object to “1” and power cycling of the device.
Figure 52: Enable 802.1Q Tag
Now you are able to see VLAN tag in your wireshark trace.
Figure 53: VLAN tag

EtherNet/IP 42/48
5.4.2 Forward Open Service
To check parameters of the running connection use “cipcm” filter to see Forward Open Service
request, useful information are RPI and connection timeout multiplier, but also connection points of
input and output assemblies.
Figure 54: Forward Open frame
Knowing connection timeout value (4x500ms) makes it possible to retrace the cause, of why
device aborted the communication. In the Figure 55: Connection timeout the last implicit data
frame was sent by adapter (connection target) with IP address 192.168.0.42, this frame is two
seconds after last implicit data frame of the connection originator with IP address 192.168.0.1, the
connection timed out because the connection originator stopped sending data, the trouble causing
device is the connection originator.

EtherNet/IP 43/48
Figure 55: Connection timeout

EtherNet/IP 44/48

Appendix 45/48
6 Appendix
6.1 List of Figures
Figure 1: Network Capture with Port-mirroring switch ......................................................................................................... 7
Figure 2: Network Capture with netANALYZER .................................................................................................................. 8
Figure 3: Official logo of the Wireshark Company ............................................................................................................. 11
Figure 4: Download the Wireshark installer ....................................................................................................................... 13
Figure 5: Setup Wireshark start screen ............................................................................................................................. 14
Figure 6: End-User License Agreement screen ................................................................................................................ 14
Figure 7: Wireshark components screen ........................................................................................................................... 15
Figure 8: Wireshark additional tasks screen...................................................................................................................... 15
Figure 9: Installation path dialog window .......................................................................................................................... 16
Figure 10: Wireshark packet capture window .................................................................................................................... 16
Figure 11: Wireshark USB capture window ....................................................................................................................... 17
Figure 12: Wireshark installing screen .............................................................................................................................. 17
Figure 13: Setup WinPcap start screen ............................................................................................................................. 18
Figure 14: WinPcap License Agreement screen ............................................................................................................... 18
Figure 15: WinPcap Installation options screen ................................................................................................................ 19
Figure 16: WinPcap installing screen ................................................................................................................................ 19
Figure 17: WinPcap Setup completed window .................................................................................................................. 20
Figure 18: First USBPcap License Agreement screen ...................................................................................................... 20
Figure 19: Second USBPcap License Agreement screen ................................................................................................. 21
Figure 20: USBPcap installation options ........................................................................................................................... 21
Figure 21: USBPcap installation folder .............................................................................................................................. 22
Figure 22: USBPcap installing screen ............................................................................................................................... 22
Figure 23: Wireshark installing screen .............................................................................................................................. 23
Figure 24: Installation complete screen ............................................................................................................................. 23
Figure 25: Setup completed window ................................................................................................................................. 24
Figure 26: Wireshark welcome screen .............................................................................................................................. 26
Figure 27: The menu ......................................................................................................................................................... 27
Figure 28: The Wireshark toolbar ...................................................................................................................................... 27
Figure 29: The "Packet List" Pane .................................................................................................................................... 27
Figure 30: The "Packet Details" pane................................................................................................................................ 28
Figure 31: The “Packet Bytes” pane with tabs ................................................................................................................... 29
Figure 32: Network Capture with Port-mirroring switch ..................................................................................................... 30
Figure 33: Network Capture with netANALYZER .............................................................................................................. 31
Figure 34: Network Capture with Port-mirroring switch ..................................................................................................... 32
Figure 35: Run window...................................................................................................................................................... 33
Figure 36: Network Connections screen ........................................................................................................................... 33
Figure 37: Network connection screen with one connection ............................................................................................. 34
Figure 38: Status of the network connection ..................................................................................................................... 34
Figure 39: Properties of the network connection ............................................................................................................... 35
Figure 40: Properties of Internet Protocol version 4 (TCP/IPv4) ....................................................................................... 35
Figure 41: Recording Scenario with netANALYZER Scope between Scanner and Adapter ............................................. 37
Figure 42: Typical Application - The communication between a device and its connection .............................................. 37
Figure 43: DHCP/BootP filter ............................................................................................................................................ 38
Figure 44: ARP filter .......................................................................................................................................................... 38
Figure 45: ENIP filter ......................................................................................................................................................... 38
Figure 46: CIP filter ........................................................................................................................................................... 39
Figure 47: CIPCM filter ...................................................................................................................................................... 39
Figure 48: CIPIO filter........................................................................................................................................................ 39
Figure 49: DLR filter .......................................................................................................................................................... 39
Figure 50: Sign_On filter ................................................................................................................................................... 40
Figure 51: Disable VLAN filtering ...................................................................................................................................... 40
Figure 52: Enable 802.1Q Tag .......................................................................................................................................... 41
Figure 53: VLAN tag .......................................................................................................................................................... 41
Figure 54: Forward Open frame ........................................................................................................................................ 42
Figure 55: Connection timeout .......................................................................................................................................... 43

Appendix 46/48
6.2 List of Tables

Table 1: List of Revisions .................................................................................................................................................... 3
Table 2: Terms, Abbreviations and Definitions .................................................................................................................... 4

Appendix 47/48
6.3 Bibliography
[1] Wireshark. (n.d.). 1.4. A brief history of Wireshark. Retrieved April 25, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html.
[2] 3.3. The Main window. (n.d.). Retrieved April 26, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChUseMainWindowSection.html.
[3] DCE/RPC - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from
https://wiki.wireshark.org/DCE/RPC.
[4] PROFINET/RT - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from
https://wiki.wireshark.org/PROFINET/RT.
[5] Zhang, L., Streubühr, M., Glaß, M., Teich, J., von Schwerin, A., & Liu, K. (2012). System-Level
Modeling and Simulation of Networked PROFINET IO Controllers. In Proc. of the Embedded
World Conference. Nuremberg, DE: Kissingen, Germany: WEKA Fachzeitschriften Verlag.
[6] AddressResolutionProtocol - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from
https://wiki.wireshark.org/AddressResolutionProtocol.
[7] 3.17. The “Packet List” Pane. (n.d.). Retrieved April 26, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketListPaneSection.html.
[8] 3.18. The “Packet Details” Pane. (n.d.). Retrieved April 26, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html
[9] 3.19. The “Packet Bytes” Pane. (n.d.). Retrieved April 26, 2019, from
https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketBytesPaneSection.html

Appendix 48/48
6.4 Contacts
Headquarters
Germany
Hilscher Gesellschaft für
Systemautomation mbH
Rheinstrasse 15
65795 Hattersheim
Phone: +49 (0) 6190 9907-0
Fax: +49 (0) 6190 9907-50
E-Mail: info@hilscher.com
Support
Phone: +49 (0) 6190 9907-99
E-Mail: de.support@hilscher.com
Subsidiaries
China Japan
Hilscher Systemautomation (Shanghai) Co. Ltd. Hilscher Japan KK
200010 Shanghai Tokyo, 160-0022
Phone: +86 (0) 21-6355-5161 Phone: +81 (0) 3-5362-0521
E-Mail: info@hilscher.cn E-Mail: info@hilscher.jp
Support Support
Phone: +86 (0) 21-6355-5161 Phone: +81 (0) 3-5362-0521
E-Mail: cn.support@hilscher.com E-Mail: jp.support@hilscher.com
France Korea
Hilscher France S.a.r.l. Hilscher Korea Inc.
69500 Bron Suwon, 443-810
Phone: +33 (0) 4 72 37 98 40 Phone: +82-31-204-6190
E-Mail: info@hilscher.fr E-Mail: info@hilscher.kr
Support
Phone: +33 (0) 4 72 37 98 40 Switzerland
E-Mail: fr.support@hilscher.com Hilscher Swiss GmbH
4500 Solothurn
India Phone: +41 (0) 32 623 6633
Hilscher India Pvt. Ltd. E-Mail: info@hilscher.ch
New Delhi - 110 025 Support
Phone: +91 11 40515640 Phone: +49 (0) 6190 9907-99
E-Mail: info@hilscher.in E-Mail: ch.support@hilscher.com
Italy USA
Hilscher Italia srl Hilscher North America, Inc.
20090 Vimodrone (MI) Lisle, IL 60532
Phone: +39 02 25007068 Phone: +1 630-505-5301
E-Mail: info@hilscher.it E-Mail: info@hilscher.us
Support Support
Phone: +39 02 25007068 Phone: +1 630-505-5301
E-Mail: it.support@hilscher.com E-Mail: us.support@hilscher.com


DOC190403AN02EN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DOC190403AN02EN

Uploaded by

Copyright:

Available Formats

Application Note

Capturing EtherNet/IP with Wireshark

Capturing EtherNet/IP with Wireshark

1.2 List of Revisions

Rev Date Chapter Revisions

Capturing EtherNet/IP with Wireshark

1.3 Terms, Abbreviations and Definitions

Capturing EtherNet/IP with Wireshark

1.4 Legal Notes

1.4.2 Important Notes

Capturing EtherNet/IP with Wireshark

1.4.3 Exclusion of Liability

1.4.4 Export Regulations

1.4.5 Registered Trademarks

Capturing EtherNet/IP with Wireshark

2 Descriptions and Requirements

2.2 Structure for network recording

EtherNet/IP Scanner Hub / Adapter Adapter

Figure 1: Network Capture with Port-mirroring switch

Capturing EtherNet/IP with Wireshark

Ethernet/IP Scanner netANALYZER Slave Slave

Figure 2: Network Capture with netANALYZER

2.3 Network capturing

Capturing EtherNet/IP with Wireshark

Capturing EtherNet/IP with Wireshark

Capturing EtherNet/IP with Wireshark

Figure 3: Official logo of the Wireshark Company

3.3 Technical Details

Capturing EtherNet/IP with Wireshark

4.1.2 Requirements for installing Wireshark

Hardware requirements of development PC

Capturing EtherNet/IP with Wireshark

4.1.3 Where to get Wireshark

4.1.4 Step-by-Step instructions

Download Wireshark on your development PC.

Figure 4: Download the Wireshark installer

Install Wireshark on your development PC.

Capturing EtherNet/IP with Wireshark

The Wireshark setup starts:

Figure 5: Setup Wireshark start screen

 Click Next button.

The End-User License Agreement window opens:

Figure 6: End-User License Agreement screen

 Click I Agree button.

Capturing EtherNet/IP with Wireshark

Figure 7: Wireshark components screen

Figure 8: Wireshark additional tasks screen

Capturing EtherNet/IP with Wireshark

The destination folder dialog opens:

Figure 9: Installation path dialog window

Figure 10: Wireshark packet capture window

Capturing EtherNet/IP with Wireshark

Figure 11: Wireshark USB capture window

The Installing Wireshark window opens:

Figure 12: Wireshark installing screen

Capturing EtherNet/IP with Wireshark

The WinPcap Setup Wizard starts:

Figure 13: Setup WinPcap start screen

 Click Next button.

The WinPcap License Agreement window opens:

Figure 14: WinPcap License Agreement screen

 Click I Agree button.

Capturing EtherNet/IP with Wireshark

Figure 15: WinPcap Installation options screen