Capturing PROFINET with Wireshark

Application Note Capturing PROFINET with Wireshark

Table of Contents

1 Introduction ...... 3 1.1 About this Document ...... 3 1.2 List of Revisions ...... 3 1.3 Terms, Abbreviations and Definitions ...... 4 1.4 Legal Notes ...... 5 1.4.1 Copyright ...... 5 1.4.2 Important Notes ...... 5 1.4.3 Exclusion of Liability ...... 6 1.4.4 Export Regulations ...... 6 1.4.5 Registered Trademarks ...... 6 2 Descriptions and Requirements ...... 7 2.1 Descriptions...... 7 2.2 Structure for network recording ...... 7 2.3 Network capturing ...... 8 3 Wireshark ...... 9 3.1 Introduction ...... 9 3.2 History ...... 9 3.3 Technical Details ...... 10 4 First Steps ...... 11 4.1 Installing the Wireshark software ...... 11 4.1.1 Overview ...... 11 4.1.2 Requirements for installing Wireshark ...... 11 4.1.3 Where to get Wireshark ...... 12 4.1.4 Step-by-Step instructions ...... 12 4.1.5 Update Wireshark ...... 21 4.1.6 Update WinPcap ...... 21 4.1.7 Update Npcap ...... 21 4.1.8 Uninstall Wireshark...... 21 4.1.9 Uninstall WinPcap ...... 21 4.1.10 Uninstall Npcap ...... 21 4.1.11 Uninstall USBPcap ...... 21 4.2 Start Wireshark...... 22 4.3 Welcome Screen ...... 22 4.3.1 Menu ...... 23 4.3.2 Toolbar ...... 23 4.3.3 Wireshark Filter ...... 23 4.3.4 “Packet List” Pane ...... 25 4.3.5 “Packet Details” Pane ...... 26 4.3.6 “Packet Bytes” Pane ...... 27 5 PROFINET ...... 28 5.1 Introduction to PROFINET ...... 28 5.1.1 Conformance Classes ...... 28 5.1.2 RT and IRT in comparison ...... 28 5.2 Hardware structure for a PROFINET data analysis ...... 31 5.3 Capturing and analysing network traffic ...... 33 5.4 Settings for recording with Wireshark ...... 35 5.5 Recording network traffic ...... 39 5.6 How to decode cyclic PROFINET frames? ...... 40 5.6.1 Introduction ...... 40 5.6.2 PROFINET Process Data Telegram Structure ...... 40 5.6.3 Decoding Example ...... 41 6 Appendix ...... 52 6.1 List of Figures ...... 52 6.2 List of Tables ...... 53 6.3 Bibliography...... 54 6.4 Contacts ...... 55

This manual contains installation and network recording instructions for the devices using the Wireshark program. This manual will explain the basics and also some of the features that Wireshark provides. As Wireshark has become a very complex program since the early days, only the basic feature of Wireshark can be explained in this manual. By reading this manual, you will learn how to install Wireshark, how to use the basic elements of the graphical user interface (such as the menu) and what’s behind some of the advanced features that are not always obvious at first sight.

1.2 List of Revisions

Table 1: List of Revisions

Rev Date Chapter Revision 1 22.10.2019 all created

Table 2: Terms, Abbreviations and Definitions

Term Description ASIC application-specific integrated circuit ATM Asynchronous Transfer Mode BSD Berkeley Software Distribution CFI Canonical Format ID FDDI Fiber Distributed Data Interface GNU Unix-like operating system GUI graphical user interface IEEE 802.1q networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network IP Internet Protocol IrDA Infrared Data Association IRT Isochronous real time LAN Local Area Network macOS graphical operating systems mbH mit begrentzter Haftung Npcap Windows version of the libpcap library PCP Priority Code Point PPP Point-to-Point Protocol PTCP Precision Transparent Clock Protocol RAM Random-Access Memory RT Real Time TCI Tag Control Information TCP Transmission Control Protocol TPID Tag Protocol Identifier USB Universal Serial Bus USBPcap open-source USB sniffer for Windows VID Virtual Local Area Network ID (VLAN ID) VLAN Virtual Local Area Network WinPcap open source library for packet capture and network analysis for Windows WLAN Wireless Local Area Network

1.4.1 Copyright

© Hilscher Gesellschaft für Systemautomation mbH All rights reserved. The images, photographs and texts in the accompanying material (user manual, accompanying texts, documentation, etc.) are protected by German and international copyright law as well as international trade and protection provisions. You are not authorized to duplicate these in whole or in part using technical or mechanical methods (printing, photocopying or other methods), to manipulate or transfer using electronic systems without prior written consent. You are not permitted to make changes to copyright notices, markings, trademarks or ownership declarations. The included diagrams do not take the patent situation into account. The company names and product descriptions included in this document may be trademarks or brands of the respective owners and may be trademarked or patented. Any form of further use requires the explicit consent of the respective rights owner.

1.4.2 Important Notes

The user manual, accompanying texts and the documentation were created for the use of the products by qualified experts, however, errors cannot be ruled out. For this reason, no guarantee can be made and neither juristic responsibility for erroneous information nor any liability can be assumed. Descriptions, accompanying texts and documentation included in the user manual do not present a guarantee nor any information about proper use as stipulated in the contract or a warranted feature. It cannot be ruled out that the user manual, the accompanying texts and the documentation do not correspond exactly to the described features, standards or other data of the delivered product. No warranty or guarantee regarding the correctness or accuracy of the information is assumed. We reserve the right to change our products and their specification as well as related user manuals, accompanying texts and documentation at all times and without advance notice, without obligation to report the change. Changes will be included in future manuals and do not constitute any obligations. There is no entitlement to revisions of delivered documents. The manual delivered with the product applies. Hilscher Gesellschaft für Systemautomation mbH is not liable under any circumstances for direct, indirect, incidental or follow-on damage or loss of earnings resulting from the use of the information contained in this publication.

The software was produced and tested with utmost care by Hilscher Gesellschaft für Systemautomation mbH and is made available as is. No warranty can be assumed for the performance and flawlessness of the software for all usage conditions and cases and for the results produced when utilized by the user. Liability for any damages that may result from the use of the hardware or software or related documents, is limited to cases of intent or grossly negligent violation of significant contractual obligations. Indemnity claims for the violation of significant contractual obligations are limited to damages that are foreseeable and typical for this type of contract. It is strictly prohibited to use the software in the following areas:  for military purposes or in weapon systems;  for the design, construction, maintenance or operation of nuclear facilities;  in air traffic control systems, air traffic or air traffic communication systems;  in life support systems;  in systems in which failures in the software could lead to personal injury or injuries leading to death. We inform you that the software was not developed for use in dangerous environments requiring fail-proof control mechanisms. Use of the software in such an environment occurs at your own risk. No liability is assumed for damages or losses due to unauthorized use.

1.4.4 Export Regulations

The delivered product (including the technical data) is subject to export or import laws as well as the associated regulations of different counters, in particular those of Germany and the USA. The software may not be exported to countries where this is prohibited by the United States Export Administration Act and its additional provisions. You are obligated to comply with the regulations at your personal responsibility. We wish to inform you that you may require permission from state authorities to export, re-export or import the product.

1.4.5 Registered Trademarks

Windows® 7, Windows® 8 and Windows® 10 are registered trademarks of Microsoft Corporation. Wireshark® and the "fin" -Logo is a registered trademark of Gerald Combs. Adobe-Acrobat® is a registered trademark of the Adobe Systems Incorporated. EtherCAT® is a registered trademark of Beckhoff Automation GmbH, Verl, Germany, formerly Elektro Beckhoff GmbH. PROFIBUS® und PROFINET® are registered trademarks of PROFIBUS International, Karlsruhe. All other mentioned trademarks are property of their respective legal owners.

This chapter describes the most important steps in short form for a recording with Wireshark. Chapter 4: First Steps explains the steps how to download the Wireshark program. In addition, this chapter describes how to update or uninstall Wireshark in addition to installing. In the following, there is a closer look at the user interface of Wireshark and the most important functions of the user interface are explained. Chapter 5: PROFINET starts into the PROFINET topic and gives an overview and shows with an example of how an analysis of the PROFINET data frames works.

2.2 Structure for network recording

In the following you will find two possibilities to build the hardware to capture a Wireshark trace. If no netANALYZER is available, the structure should be as follows:

PROFINET Device PROFINET Device PROFINET Controller

PROFINET IRT Switch with Port mirroring

PC with Wireshark Figure 1: Network Capture with Port-mirroring switch

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 Descriptions and Requirements 8/55 Further information on why port mirroring is used can be found in chapter 5.2: Hardware structure for a PROFINET data analysis. For a recording with the netANALYZER, which captures all frames in contrast to the IRT switch, the structure is:

PC with Wireshark

PROFINET Device PROFINET Device netANALYZER PROFINET Controller

Figure 2: Network Capture with netANALYZER

Further information how the netANALYZER is used can be found in chapter 5.2: Hardware structure for a PROFINET data analysis.

2.3 Network capturing

Start the Wireshark capturing, after the preparation for a data analysis with Wireshark has been made. In the following, you will find the steps to capture a trace in a short form:  Switch off PROFINET Controller/Device  Click on the button  Switch on Controller/Device  Wait until Controller/Device has booted up and exchanged data  Stop capturing with the button  Save capture with the button

For more detailed explanations, see chapter 5.5: Recording network traffic.

Wireshark (“wire” and “shark”) is a free and open source packet analyser. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark issues. Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.

3.2 History

In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn more about networking so he started writing Ethereal (the original name of the Wireshark project) as a way to solve both problems. Ethereal was initially released after several pauses in development in July 1998 as version 0.2.0. Within day’s patches, bug reports, and words of encouragement started arriving and Ethereal was on its way to success. Not long, after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it. In October, 1998 Guy Harris was looking for something better than tcpview so he started applying patches and contributing dissectors to Ethereal. In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses and started looking at it to see if it supported the protocols he needed. While it did not at that point new protocols could be easily added. Therefore, he started contributing dissectors and contributing patches. The list of people who have contributed to the project has become very long since then, and almost all of them started with a protocol that they needed that Wireshark or did not already handle. Therefore, they copied an existing dissector and contributed the code back to the team. When Gerald Combs switched from Ethereal Software Inc. to CACE Technologies, he launched his own follow-up project and named it in 2006 Wireshark. In 2006, the project moved house and re-emerged under a new name: Wireshark. The first version of Wireshark was released on June 7, 2006 with the version number 0.99.1. The precursor, Ethereal, is still available in version 0.99.0, but is no longer being developed. In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release was the first deemed complete, with the minimum features implemented. Its release coincided with the first Wireshark Developer and User Conference, called Sharkfest. Wireshark version 2.0 was released on November 19, 2015. The whole program was switched to Qt and provided with a new, more intuitive interface. [1] On February 28, 2019 Wireshark has been released in version 3.0. Wireshark 3.0 has now an IP map in a modernized representation. Wireshark can also be created with reproducible builds. In

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 Wireshark 10/55 addition, the Qt version has been updated compared to the last final Wireshark version. The Windows version installs now Npcap instead of WinPcap.

Figure 3: Official logo of the Wireshark Company

3.3 Technical Details

The Wireshark tool either displays the data in the form of individual packets during or after the recording of data traffic from a network interface. The data is processed in a clearly arranged manner with filters adapted to the respective protocols. Wireshark can also create statistics on the data flow or use special filters to selectively extract binary content. Network interfaces whose traffic can be analysed are primarily Ethernet with the various Internet protocol families such as TCP/IP. In addition, Wireshark can also record and analyse wireless traffic in the Wireless Local Area Network (WLAN) and Bluetooth connections. Using appropriate modules, further common interfaces such as USB can be integrated into Wireshark. On Microsoft Windows, Wireshark records traffic transparently using WinPcap. The prerequisite for this is always that the respective computer on which Wireshark is operated has the corresponding physical interfaces and the user has corresponding access authorizations for these interfaces. In addition to the graphical Wireshark version, there is the TShark, which is based on the same network code and is controlled by command line options. For both versions, the recording format of the measured data was taken from tcpdump. Nevertheless, Wireshark can additionally import the formats of other LAN analysers.

4.1.1 Overview

This section describes how to install the Wireshark software on your development PC.

4.1.2 Requirements for installing Wireshark

General requirements  Operating system: Windows® 10, Windows® 8/8.1, Windows® 7, Windows® Vista, Windows® Server 2016, Windows® Server 2012 R2, Windows® Server 2012, Windows® Server 2008 R2 or Windows® Server 2008  Access to the internet is required for downloading “third-party” development tools like e.g. WinPcap and USBPcap.

If applicable:  Uninstall previous versions of Wireshark from your development PC

Hardware requirements of development PC  Processor: Any modern 64-bit AMD64/x86-64 or 32-bit x86 processor.  RAM: 400 Mbyte min., larger capture files require more RAM.  Free hard disk space: 300 MByte min., Capture files require additional disk space.  Graphic resolution: 1024 x 768 pixels (1280 × 1024 or higher recommended) resolution with at least 16-bit colour. 8-bit colour should work but user experience will be degraded. Power users will find multiple monitors useful.  Network card: A supported network card for capturing o Ethernet. Any card supported by Windows should work. o 802.11. Capturing raw 802.11 information may be difficult without special equipment. o other media. These are ATM, Bluetooth, CiscoHDL, Ethernet, FDDI, FrameRelay, IrDA, Loopback, ppp, TokenRing, USB, VLAN and WLAN. Older versions of Windows, which are outside Microsoft’s extended lifecycle support window, are no longer supported. It is often difficult or impossible to support these systems due to circumstances beyond the control of Wireshark, such as third party libraries on which Wireshark depend or due to necessary features that are only present in newer versions of Windows (such as hardened security or memory management).

You can get the latest copy of the program from the Wireshark website at https://www.wireshark.org/download.html. The download page should automatically highlight the appropriate download for your platform and direct you to the nearest mirror. The Wireshark Foundation signs official Windows and macOS installers. A new Wireshark version typically becomes available each month or two.

4.1.4 Step-by-Step instructions

Windows Installer names contain the platform and the version. For example, Wireshark-win64- 2.6.7.exe installs Wireshark version 2.6.7 for 64-bit Windows. The Wireshark installer includes the WinPcap tool, which is required for packet capture, up to V2.9.0. Since V3.0.0 the program Npcap is used instead of WinPcap. Simply download the Wireshark installer from https://www.wireshark.org/download.html and execute it. The Wireshark Foundation signs official packages. You can choose to install several optional components and select the location of the installed package. The default settings are recommended for most users.

Download Wireshark on your development PC.

Figure 4: Download the Wireshark installer

Install Wireshark on your development PC.  Double-click the Wireshark installer Wireshark-winXX-X.X.X.exe file.

The Wireshark setup starts:

Figure 5: Setup Wireshark start screen

 Click Next button.

The End-User License Agreement window opens:

Figure 6: End-User License Agreement screen

 Click I Agree button.

Figure 7: Wireshark components screen

 Click or unclick in front of the components you want to install, then click Next button.

Figure 8: Wireshark additional tasks screen

 Click or unclick in front of the additional tasks you want to set, then click Next button.

The destination folder dialog opens:

Figure 9: Installation path dialog window

 Accept the default path or click the Browse button to choose a different target directory for your Wireshark installation, then click Next button.

Figure 10: Wireshark packet capture window

 Wireshark requires either Npcap or WinPcap to capture live network data. Use Add/Remove Programs first to uninstall any undetected old WinPcap- and Npcap versions, then Check the box in front Install Npcap, then click Next button.  If a recording is to be carried out with netANALYZER, the checkbox in front of Install Npcap must be deactivated. Then select Next button.

Figure 11: Wireshark USB capture window

 Wireshark requires either Npcap or WinPcap to capture live network data. USBPcap is not needed for a Wirehsark recording with Ethernet and therefore does not have to be installed. Then uncheck the box before Install USBPcap. Then select Next button.

The Installing Wireshark window opens:

Figure 12: Wireshark installing screen

The Npcap License Agreement window opens:

Figure 13: Npcap License Agreement screen

 Click Next button.

Figure 14: Npcap installing screen

 Check the box next to Support loopback traffic ("Npcap Loopback Adapter" will be created) and then select the Install button.

Figure 15: Npcap installing screen

After successful Npcap installation, the Completed Npcap Setup Wizard message appears:

Figure 16: Npcap Setup completed window

 Click Finish button.

Figure 17: Npcap Setup completed window (repeated)

You have Npcap installed on your PC.

The Installing Wireshark window opens:

Figure 18: Wireshark installing screen

Wireshark is being installed on your development PC.

Figure 19: Installation complete screen

After successful Wireshark installation, the Completing Wireshark Setup message appears:

Figure 20: Setup completed window

 Click Finish button.

You have installed Wireshark on your PC. You now need to reboot the development PC to complete the installation.

By default, the official Windows package will check for new versions and notify you when they are available. New versions of Wireshark are usually released every four to six weeks. Updating Wireshark is done the same way as installing it. Simply download and start the installer exe. A reboot is usually not required and all your personal settings remain unchanged.

4.1.6 Update WinPcap

New versions of WinPcap are no longer available. For instructions and more information about WinPcap, visit the WinPcap Web site at https://www.winpcap.org.

4.1.7 Update Npcap

New versions of Npcap are less frequently available. You will find Npcap update instructions the Npcap web site at https://nmap.org/npcap. You may have to reboot your machine after installing a new Npcap version.

4.1.8 Uninstall Wireshark

You can uninstall Wireshark using the Programs and Features control panel. Select the “Wireshark” entry to start the uninstallation procedure. The Wireshark uninstaller provides several options for removal. The default is to remove the core components but keep your personal settings, USBPcap and WinPcap. USBPcap and WinPcap are left installed by default in case other programs need it.

4.1.9 Uninstall WinPcap

You can uninstall WinPcap independently of Wireshark using the WinPcap entry in the Programs and Features control panel. Remember that if you uninstall WinPcap, the Npcap program must be installed, otherwise you won’t be able to capture anything with Wireshark.

4.1.10 Uninstall Npcap

Npcap can be uninstalled independently of Wireshark with the Npcap entry in the Programs and Features Control Panel. It should be noted, that when uninstalling Npcap, the program WinPcap must be installed in order to ensure recording with Wireshark.

4.1.11 Uninstall USBPcap

USBPcap can be uninstalled independently of Wireshark with the USBPcap entry in the Programs and Features Control Panel. It should be noted, that when USBPcap is uninstalled, USB Traffic with Wireshark cannot be captured. This is not required for the application of Wireshark network recording with Ethernet.

In the following chapters, some screenshots from Wireshark will be shown. As Wireshark runs on many different platforms with many different window managers, different styles applied and there are different versions of the underlying GUI toolkit used, your screen might look different from the provided screenshots. But as there are no real differences in functionality these screenshots should still be well understandable.

4.3 Welcome Screen

After starting Wireshark, the following window opens:

Figure 21: Wireshark welcome screen

The main window shows Wireshark as you would usually see it after some packets are captured or loaded (how to do this will be described later). Wireshark’s main window consists of parts that are commonly known from many other GUI programs. 1. The menu (see 4.3.1: Menu) is used to start actions. 2. The main toolbar (see 4.3.2: Toolbar) provides quick access to frequently used items from the menu. 3. The filter toolbar (see 4.3.3: Wireshark Filter) provides a way to directly manipulate the currently used display filter. 4. The packet list pane (see 4.3.4: “Packet List” Pane) displays a summary of each packet captured. By clicking on packets in this pane you control what is displayed in the other two panes. 5. The packet details pane (see 4.3.5: “Packet Details” Pane) displays the packet selected in the packet list pane in more detail.

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 First Steps 23/55 6. The packet bytes pane (see 4.3.6: “Packet Bytes” Pane) displays the data from the packet selected in the packet list pane, and highlights the field selected in the packet details pane. 7. The status bar shows some detailed information about the current program state and the captured data. [2]

4.3.1 Menu

Wireshark’s main menu is located in Windows at the top of the main window. An example is shown in Figure 22: The menu.

NOTE: Some menu items will be disabled (greyed out) if the corresponding feature isn’t available. For example, you cannot save a capture file if you haven’t captured or loaded any packets.

Figure 22: The menu

4.3.2 Toolbar

The main toolbar provides quick access to frequently used items from the menu. This toolbar cannot be customized by the user, but it can be hidden using the View menu if the space on the screen is needed to show more packet data. Items in the toolbar will be enabled or disabled (greyed out) similar to their corresponding menu items. For example, in the image below shows the main window toolbar after a file has been opened. Various file-related buttons are enabled, but the stop capture button is disabled because a capture is not in progress.

Figure 23: The Wireshark toolbar

4.3.3 Wireshark Filter

4.3.3.1 Distributed Computing Environment/Remote Procedure Call (DCE/RPC)

If you want to show only the DCE/RPC based traffic (both connection oriented and connectionless) use following filter: dcerpc

DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol.

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 First Steps 24/55 A DCE/RPC server's endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server. Because of that, you cannot simply capture from a specific TCP port to see all traffic, as there are more connections used.

DCE/RPC can run atop a number of protocols, including:  TCP: Typically, connection oriented DCE/RPC uses TCP as its transport protocol. The well-known TCP port for DCE/RPC EPMAP is 135. This transport is called ncacn_ip_tcp.  UDP: Typically, connectionless DCE/RPC uses UDP as its transport protocol. The well- known UDP port for DCE/RPC EPMAP is 135. This transport is called ncadg_ip_udp.  SMB: Connection oriented DCE/RPC can also use authenticated named pipes on top of SMB as its transport protocol. This transport is called ncacn_np.  SMB2: Connection oriented DCE/RPC can also use authenticated named pipes on top of SMB2 as its transport protocol. This transport is called ncacn_np. [3]

4.3.3.2 PROFINET Real-Time Protocol (PN-RT)

If you want to show only the communications using PN-RT bypass the standard TCP/IP interface use following filter: pn_rt

PROFINET RT is one of the protocols of the PROFINET family. It used for real time cyclic data transfer with Industrial Programmable Logic Controllers. Communications using PN-RT bypass the standard TCP/IP interface provided by PROFINET to provide high-speed communications of up to 12 MBaud. Specifically it was designed for time critical discrete input/output and message transfer. [4]

4.3.3.3 PROFINET Precision Time Control Protocol (PN-PTCP)

The Precision Time Control Protocol (PTCP) is a protocol definition within the PROFINET context. It is a link layer based protocol to synchronize clock/time signals over several PLCs. If you want to show only the PTCP communications, use following filter: pn_ptcp

PROFINET IO defines the PTCP to share the time reference among IO-Controllers. According to PTCP, the clocks in IO-Controllers are organized in a master-slave synchronization hierarchy with a grandmaster clock at top that determines the reference time for the complete system. The synchronization is accomplished by exchanging PTCP timing messages between slaves and their master. Slave clocks use the timing information to adjust their clocks, i.e., keep synchronized with their timing masters. [5]

4.3.3.4 PROFINET Discovery and basic Configuration Protocol (PN-DCP)

The Discovery and Basic Configuration Protocol DCP is a protocol definition within the PROFINET context. It is a Data Link Layer based protocol to configure station names and IP addresses. It is restricted to one subnet and mainly used in small and medium applications without an installed DHCP server. To show only the ARP packets, use following filter: pn_dcp

You cannot directly filter PN-DCP protocols while capturing. [6]

4.3.3.5 Link Layer Discovery Protocol (LLDP)

The Link Layer Discovery Protocol (LLDP) is a vendor neutral layer 2 protocol that can be used by a station attached to a specific LAN segment to advertise its identity and capabilities and to receive it from a physically adjacent layer 2 peer. To display only the LLDP based traffic use: lldp

The transmission of the Link Layer Discovery Protocol (LLDP) is a one-way transmission in multicast. A receipt will not be sent. This takes place in an interval of 30 seconds or another specified distance. Shipping and receipt are independent. [7]

4.3.3.6 Address Resolution Protocol (ARP)

You will often see ARP packets at the beginning of a conversation, as ARP is the way these addresses are discovered. To show only the ARP packets, use following filter: arp

The Address Resolution Protocol is used to dynamically discover the mapping between a layer 3 (protocol) and a layer 2 (hardware) address. A typical use is the mapping of an IP address (e.g. 192.168.0.10) to the underlying Ethernet address (e.g. 01:02:03:04:05:06). In the common case, this table is for mapping Ethernet to IP addresses. This database is called the ARP Table. Dynamic entries in this table are often cached with a timeout of up to 15 minutes, which means that once a host has ARP for an IP address it will remember this for the next 15 minutes before it gets time to ARP for that address again. [8]

4.3.4 “Packet List” Pane

The packet list pane displays all the packets in the current capture file.

Figure 24: The "Packet List" Pane

Each line in the packet list corresponds to one packet in the capture file. If you select a line in this pane, more details will be displayed in 4.3.5 “Packet Details” Pane and 4.3.6 “Packet Bytes” Pane. While dissecting a packet, Wireshark will place information from the protocol dissectors into the columns. As higher level protocols might overwrite information from lower levels, you will typically see the information from the highest possible level only. There are a lot of different columns available. The default columns will show:  [ No. ] The number of the packet in the capture file. This number won’t change, even if a display filter is used.  [ Time ] The timestamp of the packet. The presentation format of this timestamp can be changed.  [ Source ] The address where this packet is coming from.  [ Destination ] The address where this packet is going to.  [ Protocol ] The protocol name in a short (perhaps abbreviated) version.  [ Length ] The length of each packet.  [ Info ] Additional information about the packet content. [9]

4.3.5 “Packet Details” Pane

The packet details pane shows the current packet (selected in Figure 25: The "Packet Details" pane) in a more detailed form.

Figure 25: The "Packet Details" pane

This pane shows the protocols and protocol fields of the packet selected in 4.3.4: “Packet List” Pane. The protocols and fields of the packet shown in a tree, which can be expanded and collapsed. [10] Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 First Steps 27/55 4.3.6 “Packet Bytes” Pane

The “Packet Bytes” pane shows a hex dump of the packet data. Each line contains the data offset, sixteen hexadecimal bytes, and sixteen ASCII bytes. Non-printable bytes are replaced with a period (“.”). Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark has reassembled some packets into a single chunk of data. In this case you can see each data source by clicking its corresponding tab at the bottom of the pane.

Figure 26: The “Packet Bytes” pane with tabs

Additional pages typically contain data reassembled from multiple packets or decrypted data. The context menu (right mouse click) of the tab labels will show a list of all available pages. This can be helpful if the size in the pane is too small for all the tab labels. [11]

5.1.1 Conformance Classes

The range of functions of PROFINET IO is divided into well-organized “conformance classes” (“CC” for short). These conformance classes provide a practical summary of the various minimum properties. Optional functions in PROFINET extend the conformance classes to include user functionalities such as fast start-up (FSU), media redundancy (MRP), multiple access (Shared Device), and many more. There are three consecutive conformance classes that are geared to typical applications.

5.1.2 RT and IRT in comparison

PROFINET distinguishes between four Real-Time classes with differences regarding the performance: RT_Class_1: Real-Time (RT)  Devices limited to one network (no routing)  Using standard components (common hardware)  Typical cycle time of 1-32 ms  Suited for remote IO for PLCs (similar to PROFIBUS-DP)

RT_Class_2: not used anymore (IRT flexible)  Hardware support via Switch-ASIC  Deterministic cycle time and reduced jitter  Typical cycle of < 1ms and Jitter < 1µs

RT_Class_3: Isochronous Real-Time (IRT)  Planned communication traffic (time-table needed)  Also synchronized applications  Suited for motion control applications

RT_Class_UDP: unsynchronized (UDP)  Build on top of UDP to get full routing functionality  Typical cycle time of 100 ms  Suited for remote control applications  No implementation available at this time

Figure 27: Communication with RT and IRT

RT covers time requirements that correspond to those of today's fieldbuses. In contrast, IRT is suitable for meeting requirements that are today only with special bus systems or even not feasible. The differences in realization are shown in Figure 27: Communication with RT and IRT. While the RT real-time variant is based on standard Ethernet cards, the IRT version uses a special hardware component as an Ethernet controller that contains a switch. This block also supports RT communication. Both variants are divided into two parts:  Communication in a non-real-time channel (supports the TCP/IP protocol)  Communication in a real-time capable channel (works without the protocol TCP/IP) The prerequisite for using the RT real-time variant is a collision-free Ethernet structure that uses only switches. To ensure that the switches do not delay the real-time data unnecessarily, the solution uses IEEE 802.1q prioritization mechanisms. Real-time data for RT is given priority level 7, while other data, which also have high temporal requirements, use level 5 and 6. Highest real-time requirements with a jitter of 1 μs cannot be realized with the use of conventional Ethernet components. PROFINET solves such requirements with IRT, which can be implemented with special hardware devices (ASICs), such as the netX works. These ASICs not only contain an Ethernet controller, but also have the full functionality of a switch. On the one hand, the user saves the usual separate switches, and this variant also enables the formation of line structures, which are required in automation for cost-effective cabling.

The main differences between RT and IRT:

Table 3: Comparison between RT and IRT

Attribute RT IRT Transmission Prioritization of RT telegrams by Reservation of the transmission Ethernet prio (VLAN tag) bandwidth by reserving a time range in which only IRT communication takes place and e.g. no TCP/IP frames are transmitted. Determinism Variance of the transmission time Guaranteed transmission of the by sharing the transmission IRT telegrams in the current cycle bandwidth with other protocols (e.g. by reserved transmission TCP/IP) bandwidth Special hardware not necessary required

Some Ethernet switches (usually called "managed switches") have a monitor mode. This monitor mode can dedicate a port to connect your Wireshark capturing device. Using the switch management, you can select both the monitoring port and assign a specific port you wish to monitor. Actual procedures vary between switch models. You may need to use a terminal emulator, specialized SNMP client software or a Web browser. Caution: the monitoring port must be at least as fast as the monitored port, or you could certainly lose packets. Note that some switches might not support monitoring all traffic passing through the switch, only traffic on a particular port. On those switches, you might not be able to capture all traffic on the network, only traffic sent to or from some particular machine on the switch. If there is no netANALYZER, there are two ways to record a Wireshark trace. For this purpose, it must first be considered whether PROFINET IRT or RT should be recorded. The differences between IRT and RT were explained in detail in the previous chapter 5.1.2: RT and IRT in comparison. The structure without netANALYZER can be done as follows:

PROFINET Device PROFINET Device PROFINET Controller

Managed Switch with Port Mirroring

PC with Wireshark Figure 28: Network Capture with Port-mirroring switch

To record PROFINET IRT, an IRT switch must be used. With this mode, it is no longer sufficient to use a low priced managed switch with port mirroring. An IRT switch is needed to handle the IRT frames. The structure looks like this:

Slave Slave PROFINET Controller

PROFINET IRT Switch with Port mirroring

PC with Wireshark Figure 29: Network Capture with IRT switch

Port Mirroring is used on a network switch to send a copy of network packets displayed on one switch port (or an entire VLAN) to a network monitor connection on another switch port. We use port mirroring to analyze problems with a device or network load or to diagnose faults. It can be used to mirror inbound or outbound traffic (or both) on one or more interfaces.

PC with Wireshark

PROFINET Device PROFINET Device netANALYZER PROFINET Controller

Figure 30: Network Capture with netANALYZER

With netANALYZER, you can record PROFINET process data and important communication events of individual devices simply and without the need for parameterization. Connect the netANALYZER to the PROFINET network and record the connection between controller and devices with Wireshark or the included netANALYZER Scope software.

5.3 Capturing and analysing network traffic

You can use the netANALYZER cards and portable devices to record the timing, the network load and the functions of individual systems or system components bus systems, which conform to the PROFINET specification. The netANALYZER devices analyse the data traffic in the communication and protocols the arriving frames.

This is schematically illustrated in the figure below:

PROFINET Device PROFINET Device netANALYZER PROFINET Controller

Figure 31: Recording Scenario with netANALYZER Scope between Master and Slaves

Cabling can be done as follows:

Figure 32: Typical Application - The communication between a device and its connection

For devices with two Ethernet channels the analyser card NANL-C500-RE and the analyser device NANL-B500G-RE capture the Ethernet frames and adds the time stamps to them. Therefore, the netANALYZER device must be connected from any TAP to the Ethernet device connections via two patch cables. Since Wireshark 3.0, WinPcap has changed the default packet capture library to Npcap. Unfortunately, Npcap currently does not support direct capture of netANALYZER devices. Since newer versions of Wireshark can use the WinPcap library for capture, it is still possible to use the netANALYZER directly from Wireshark. Avoid installing Npcap simply while installing Wireshark by disabling "Install Npcap X.XX-rX" (see Chapter 4.1.4: Step-by-Step instructions). Retain the existing WinPcap installation from the netANALYZER Scope installation. Alternatively, you can download them later from the manufacturer's website. If Wireshark live recordings are desired, the WinPcap driver for netANALYZER must be installed. The drivers and all required software can be found in the netANALYZER product DVD. It describes the installation and the procedure with a netANALYZER.

In order to ensure that the most important Ethernet telegrams are recorded, all the TCP/IP protocols of unused Ethernet interfaces must be deactivated during the Ethernet measurement with Wireshark.

Press the keyboard shortcut [Windows - R] to display the Run window. The Run window starts:

Figure 33: Run window

 Enter the command ncpa.cpl  Click OK button.

This command opens the network connections on your Windows PC. All network connections opens.

Figure 34: Network Connections screen

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 PROFINET 36/55 In this example, a connection to Ethernet 2 is to be established. Depending on the network connections, this connection is different and includes a different network card.

 In the Network Connections window, click on the desired connection, which should not establish communication with Wireshark.  Then select Disable this network device.

NOTE: Please note that the PC no longer has access to the Intranet or Internet after disabling the network connection. Therefore, make sure that all-important connections to the intranet or Internet were previously disconnected beforehand.

 Disable all unused connections until only one connection remains.

Figure 35: Network connection screen with one connection

DHCP must not be activated in the TCP/IP protocol properties, as otherwise Ethernet telegrams will also be sent sporadically via the same interface. For this purpose, DHCP is deactivated in the Internet protocol by assigning a fixed IP address.

 Double-click on the desired connection in the Network Connections window. The window Ethernet status opens.

Figure 36: Status of the network connection

 Click the button Properties in the bottom left of the Status window.  The window Properties opens.

Figure 37: Properties of the network connection

 After selecting Internet Protocol version 4 (TCP/IPv4), click the Properties button.

Figure 38: Properties of Internet Protocol version 4 (TCP/IPv4)

After the preparation for the data analysis with Wireshark has been made, the capturing starts. For this it is advantageous if unnecessary packages will not captured. To avoid errors in the configuration of the device, the trace is started when the device is started. For this purpose, the device to be recorded is turned off first, if possible. Then the program Wireshark is started. It opens the program and offers depending on the PC a different number of recording options. Therefore, the network card to be recorded must be checked and selected by clicking on the respective card. With the click on the button the network traffic is recorded. Afterwards, the device should be turned on while the network recording is still running and recording the device boot-up. The recording can be stopped in the toolbar with the symbol . To save the recording, click on "File" in the upper left corner and then on "Save as ...“. Use the key combination Ctrl + S or click on the symbol . Then enter a name and the location and confirm it.

5.6.1 Introduction

The following chapter describes the structure of the cyclic PROFINET Process Data Exchange Telegrams. These telegrams are exchanged between a PROFINET IO-Device and PROFINET IO- Controller to transfer the cyclic process data. These frames can be easily recorded in a proper setup with the common tool Wireshark. A common mistake is to rely on Wireshark’s decoding capability of these telegrams, as the Wireshark displays some information from these telegrams. Unfortunately, old versions of Wireshark do not support proper decoding at all and newer version require a proper network recording to show the correct values. Starting from version V2.x.x the correct values are displayed. The following description shall provide a short introduction on manual decoding of these telegrams.

5.6.2 PROFINET Process Data Telegram Structure

The general structure of a cyclic PROFINET process data telegram is shown in the following image:

Figure 39: PROFINET process data telegram structure

The structure is based on a Layer-2 Ethernet Frame using VLAN Priority Tagging. While the VLAN field is sent by every PROFINET IO-Device and IO-Controller it might be removed by intermediate Network Switches. This must be considered when analysing the telegram. The C_SDU field contains the data to be transferred. As the minimum size of an Ethernet Frame with VLAN is 64 Bytes, the C_SDU field is padded if its length is smaller than 40 bytes. The APDU Status field contains the Cycle Counter and additional status bytes.

The C_SDU is composed of data items of two kinds:  IO Data Object  IOCS Object

Each data item is linked to a particular submodule. The IO Data Object consists of the process data and the associated IOPS of the submodule. The IOCS Object contains just the IOCS of the submodule. A C_SDU typically consists of several objects. The actual position of the process data within the C_SDU is parameterized in RPC Connect Request at connection startup. Between two adjacent items additional padding might be inserted. The structure of the data items is illustrated in the following image. The length of the IOPS and IOCS is usually one byte.

Figure 40: PROFINET process data item

5.6.3 Decoding Example

Figure 41: decoding example in Wireshark

0000 00 02 a2 21 90 9a 00 02 a2 24 2e 42 81 00 c0 00 DestAddr SrcAddr SrcAddr VLAN VLAN TPID TCI 0010 88 92 80 00 00 00 00 00 00 00 00 00 00 00 00 00 EtherType FrameID Data Data 0020 00 00 8f ff 80 80 80 80 80 80 00 00 00 00 00 00 Data Data 0030 00 00 00 00 00 00 00 00 00 00 00 00 2c 00 35 00 Data Data Cycle DataStatus / Counter Transferstatus Figure 42: Structure of a PROFINET frame

Table 4: PROFINET Frame

Name Description DestAddr MAC destination address SrcAddr MAC source address VLAN TPID Tag Protocol Identifier (TPID): indicates the tag in the VLAN, always 0x8100 VLAN TCI Tag Control Information (TCI): contains the VLAN information The TCI is divided into the following sections:  Priority Code Point (PCP): Value between 0 and 7, indicates the priority of the telegram  Canonical Format ID (CFI): specifies the format of the information  VLAN ID (VID): indicates the number of the VLAN and defines the membership of a VLAN EtherType 0x8892  RT, IRT or time synchronization telegram 0x0806  VLAN tag FrameID Contains the FrameID exchanged in the Connect (see Table 5: Frame-IDs) Data Contains the following data:  Input-Data: IO-Device  IO-Controller  Output-Data: IO-Device  IO-Controller Cycle Contains the number of cycles. Each cycle is 31.25 μs. Data Status Bit0 (State):  1 = Primary, indicates the current transmission channel Bit2 (DataValid):  1 = data is valid  0 = data is not valid, status only allowed during startup Bit4 (ProcessState)  1 = process, from which the data comes, is running Bit5 (ProblemIndicator)  1 = no problems  0 = problems exist TransferStatus Value must always be 0

Table 5: Frame-IDs

Value Meaning 0000 – 00FF Time synchronization acyclic 0080 – 00FF Time synchronization acyclic 0100 – 7FFF RT class 3 frames cyclic (IRT) 8000 – BEFF RT class 2 frames cyclic unicast BF00 – BFFF RT class 2 frames cyclic multicast C000 – FAFF RT class 1 frames cyclic unicast FB00 – FBFF RT class 1 frames cyclic multicast FC00 – FCFF Acyclic data transfer high FC01 PROFINET IO alarm high FC02 PROFINET IO event high FE00 – FEFF Acyclic data transfer low FE01 PROFINET IO alarm low FE02 PROFINET IO event low

Table 6: Time synchronization with IRT: Precision Transparent Clock Protocol (PTCP)

Value Meaning 0000 – 001F Acyclic RT sync telegram 0080 Cyclic RT sync telegram FF00 Acyclic RT sync telegram (clock) FF01 Acyclic RT sync telegram (time) FF20 Acyclic RT FollowUp telegram (clock) FF21 Acyclic RT FollowUp telegram (time) FF22 – FF3F Acyclic RT FollowUp telegram FF40 Acyclic RT DelayReq telegram FF41 Acyclic RT DelayResp telegram FF42 Acyclic RT FollowUpResp telegram

The following chapters describes the complete process of the process data telegram using an example. The decoded frame is an input IOCR.

5.6.3.1 Extract Structure Information

The first step is to analyse the RPC Connect Service for the required structure information. This can be done easily with the help of Wireshark. The following image shows the RPC Connect Request and its parts required for decoding an Input IOCR telegram. The Input IOCR description itself is marked in Red. It contains the Frame Id and the offsets of the data items within the C_SDU. The lengths of the associated process data can be extracted from the Expected Submodule Requests marked in Orange.

Figure 43: Reading the structure information of Wireshark

Decoding starts by creating a table containing all the offsets of the data items. That information is to be extracted from the IOCR Block Request. In this case we're interested in the Input IOCR. The assigned Frame Id is 0x8000. For Output IOCRs the FrameID must be extracted from the RPC connect Response Frame, as the Output IOCR FrameId is assigned by the device.

The following image shows the IOCR Block Request of the desired Input IOCR:

Figure 44: Reading the slots/subslots of Wireshark

From that information, we create the following table:

Table 7: Table of all offsets

C SDU Length of Length of Kind API Slot Subslot Offset Data Item

0 IO Data 0 0x0000 0x0001

1 IO Data 0 0x0000 0x8000 2 IO Data 0 0x0000 0x8001

3 IO Data 0 0x0000 0x8002

4 IOCS 0 0x0001 0x0001 5 IO Data 0 0x0002 0x0001 -

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 PROFINET 46/55 Now all offsets are known. Next step is to extract the sizes of the items. These lengths can be extracted from the submodules which are described in the Expected Submodule Blocks. The first Expected Submodule Block is shown in the following image:

Figure 45: Reading the data length of the subslots

From that information we can get the lengths of the data items for API 0 and Slot 0. Import point here is to examine the correct Data Description element. Each submodule can be assigned one Input- and one Output-Data Description. For the Input IOCR the Input Data Descriptions are relevant for IO Data Items and the Output Data Descriptions are relevant for the IOCS items. Vice Versa for Output IOCR. In the example all of the submodules of the first Expected Submodule Block have zero length input data, one byte IOPS and one byte IOCS (IOPS/IOCS length is usually one byte).

Table 8: Table of all offsets (continuation)

C SDU Length of Length of Kind API Slot Subslot Offset Data Item

0 IO Data 0 0x0000 0x0001 0 0 + 1

1 IO Data 0 0x0000 0x8000 0 0 + 1 2 IO Data 0 0x0000 0x8001 0 0 + 1

3 IO Data 0 0x0000 0x8002 0 0 + 1

4 IOCS 0 0x0001 0x0001 5 IO Data 0 0x0002 0x0001 -

We complete the table using the information from the remaining Expected Submodule Blocks:

Figure 46: Reading the data length of the submodule slots

C SDU Length of Length of Kind API Slot Subslot Offset Data Item

0 IO Data 0 0x0000 0x0001 0 0 + 1

1 IO Data 0 0x0000 0x8000 0 0 + 1

2 IO Data 0 0x0000 0x8001 0 0 + 1 3 IO Data 0 0x0000 0x8002 0 0 + 1

4 IOCS 0 0x0001 0x0001 1 1 + 1

5 IO Data 0 0x0002 0x0001 - 1

The table contains several IO Data objects with zero data length. These IO Data objects are the result of the fact that in PROFINET a submodule without any process data is regarded as an Input Submodule with zero length process data.

5.6.3.2 Decoding of Process Data Telegram

The last step is to decode the process data telegram using the table created above. The following image shows a particular telegram of the Input IOCR. For the correct selection not only the Frame Id shall be taken into account but also the Telegram's Source Mac Address, because the same Frame Id might be used by different devices in RT mode. In the following image the frame #44 has been selected for analysis.

Figure 47: Decoding the data telegram of Wireshark

The blue marked part is the C SDU (and padding) containing the actual process data. Based on our table the following values can be extracted:

Table 10: Added Data and Status to the Table of all offsets

C SDU Length Length Data Status Kind API Slot Subslot Offset of Data of Item (IOPS/IOCS)

0 IO Data 0 0x0001 0x0000 16 16 + 1 0x00 0x00 0x00 0x00 0x80 0x00 0x00 0x00 0x00 0x10 0x01 0x00 0x00 0x00 0x00 0x8f 0xff 17 IO Data 0 0x0000 0x0000 0 0 + 1 - 0x80

18 IO Data 0 0x0000 0x8000 0 0 + 1 - 0x80

19 IO Data 0 0x0000 0x8001 0 0 + 1 - 0x80

20 IO Data 0 0x0000 0x8002 0 0 + 1 - 0x80

21 IOCS 0 0x0002 0x0001 - 1 - 0x80

The status value 0x80 indicates that the associated Process Data is valid in case of IO Data Object. For the IOCS object it indicates that the Consumer of the associated Process Data is using the data. (The associated process data is transferred in the opposite direction and thus not part of

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 PROFINET 50/55 this IOCR. In other words, in this case Slot 0x1, Subslot 0x1 is an Input Submodule and Slot 0x2, Subslot 0x1 is an Output Submodule)

5.6.3.3 Remarks

PROFINET Process Data Exchange is covered by some additional constraints, which must be obeyed by the device to ensure proper data exchange: Some existing IO-Controllers (e.g. S7-300, S7-400) do not recognize IOPS changes from "BAD" to "GOOD" after the RPC Application Ready Request. If that scenario occurs the IO-Device must send a Return of Submodule Alarm to the IO-Controller. The expected behaviour of an IO-Device is to delay the RPC Application Ready until all Submodule IOPS and IOCS provided by the Device are set to “GOOD”. Afterwards the RPC Application Ready Request is issued (PNS Application Ready Service). If the IO-Device cannot set the IOPS to “GOOD” for a particular submodule for a specific reason (e.g. Invalid Parameters have been transferred to the IO-Device), the device should set the submodule to state Application ready pending (PNS Set Submodule State Service), add a diagnosis to the submodule and issue the Application Ready Service. The RPC Application Ready Request will then contain a Module Diff Block indicating a problem with the particular submodule. At some time point afterwards it might be desired to set the IOPS of the submodule to GOOD. In that scenario the application shall reset the submodule state (PNS Set Submodule State Service), remove the diagnosis and issue a Return Of Submodule Alarm (PNS Return Of Submodule Service).

5.6.3.4 PROFINET Process Data Model

The PROFINET Protocol defines a Consumer - Provider model. The Process Data is generated by the Provider and received by the Consumer. Additionally a Provider Status and a Consumer Status is exchanged. Depending on the view either the IO-Controller or the IO-Device is the Consumer or Provider. The following table tries to explain this in more detail. As usually, process data transferred from the IO-Device to the IO-Controller is denoted as Input Data while process data transferred from IO-Controller to IO-Device is denoted as Output Data. The last column in the table describes the PROFINET IO-Device V3.x Configuration Packet variables associated with the corresponding Element. The blue rows indicate data which is transferred from the IO-Device to the IO-Controller while the green rows indicate data which is transferred from the IO-Controller to the OP Device.

Table 11: PROFINET Process Data Model

Associated IOCR PROFINET Controller Device Device V3.x PROFINET Device V3.x Kind of Data (Telegram View View on Network) Process Configuration Variables Data Image

Process Data DPM Output ulDPMOffsetOut Area Provider Consumer Provider Input IOCR ulProvImageIOPSOffset, Input Provider Status (IOPS) usOffsetIOPSProvider Data Image

Consumer ulConsImageIOCSOffset, Provider Consumer Output IOCR Status (IOCS) DPM Input usOffsetIOCSConsumer Area Process Data ulDPMOffsetIn Consumer Provider Consumer Output IOCR Provider Image ulConsImageIOPSOffset, Status (IOPS) usOffsetIOPSConsumer Output Data DPM Output Consumer Area ulProvImageIOCSOffset, Consumer Provider Input IOCR Status (IOCS) Provider usOffsetIOCSProvider Image

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 Appendix 52/55 6 Appendix 6.1 List of Figures Figure 1: Network Capture with Port-mirroring switch ...... 7 Figure 2: Network Capture with netANALYZER ...... 8 Figure 3: Official logo of the Wireshark Company ...... 10 Figure 4: Download the Wireshark installer ...... 12 Figure 5: Setup Wireshark start screen ...... 13 Figure 6: End-User License Agreement screen ...... 13 Figure 7: Wireshark components screen ...... 14 Figure 8: Wireshark additional tasks screen ...... 14 Figure 9: Installation path dialog window ...... 15 Figure 10: Wireshark packet capture window ...... 15 Figure 11: Wireshark USB capture window ...... 16 Figure 12: Wireshark installing screen ...... 16 Figure 13: Npcap License Agreement screen ...... 17 Figure 14: Npcap installing screen ...... 17 Figure 15: Npcap installing screen ...... 18 Figure 16: Npcap Setup completed window ...... 18 Figure 17: Npcap Setup completed window (repeated) ...... 19 Figure 18: Wireshark installing screen ...... 19 Figure 19: Installation complete screen ...... 20 Figure 20: Setup completed window ...... 20 Figure 21: Wireshark welcome screen ...... 22 Figure 22: The menu ...... 23 Figure 23: The Wireshark toolbar ...... 23 Figure 24: The "Packet List" Pane ...... 26 Figure 25: The "Packet Details" pane...... 26 Figure 26: The “Packet Bytes” pane with tabs ...... 27 Figure 27: Communication with RT and IRT ...... 29 Figure 28: Network Capture with Port-mirroring switch ...... 31 Figure 29: Network Capture with IRT switch ...... 32 Figure 30: Network Capture with netANALYZER ...... 33 Figure 31: Recording Scenario with netANALYZER Scope between Master and Slaves ...... 34 Figure 32: Typical Application - The communication between a device and its connection ...... 34 Figure 33: Run window...... 35 Figure 34: Network Connections screen ...... 35 Figure 35: Network connection screen with one connection ...... 36 Figure 36: Status of the network connection ...... 37 Figure 37: Properties of the network connection ...... 37 Figure 38: Properties of Internet Protocol version 4 (TCP/IPv4) ...... 38 Figure 39: PROFINET process data telegram structure ...... 40 Figure 40: PROFINET process data item ...... 41 Figure 41: decoding example in Wireshark ...... 41 Figure 42: Structure of a PROFINET frame ...... 41 Figure 43: Reading the structure information of Wireshark ...... 44 Figure 44: Reading the slots/subslots of Wireshark ...... 45 Figure 45: Reading the data length of the subslots ...... 46 Figure 46: Reading the data length of the submodule slots ...... 47 Figure 47: Decoding the data telegram of Wireshark ...... 49

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019 Appendix 53/55 6.2 List of Tables Table 1: List of Revisions ...... 3 Table 2: Terms, Abbreviations and Definitions ...... 4 Table 3: Comparison between RT and IRT ...... 30 Table 4: PROFINET Frame ...... 42 Table 5: Frame-IDs ...... 43 Table 6: Time synchronization with IRT: Precision Transparent Clock Protocol (PTCP) ...... 43 Table 7: Table of all offsets ...... 45 Table 8: Table of all offsets (continuation)...... 47 Table 9: Complete Table of all offsets ...... 48 Table 10: Added Data and Status to the Table of all offsets ...... 49 Table 11: PROFINET Process Data Model ...... 51

[1] Wireshark. (n.d.). 1.4. A brief history of Wireshark. Retrieved April 25, 2019, from https://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html.

[2] 3.3. The Main window. (n.d.). Retrieved April 26, 2019, from https://www.wireshark.org/docs/wsug_html_chunked/ChUseMainWindowSection.html.

[3] DCE/RPC - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from https://wiki.wireshark.org/DCE/RPC.

[4] PROFINET/RT - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from https://wiki.wireshark.org/PROFINET/RT.

[5] Zhang, L., Streubühr, M., Glaß, M., Teich, J., von Schwerin, A., & Liu, K. (2012). System-Level Modeling and Simulation of Networked PROFINET IO Controllers. In Proc. of the Embedded World Conference. Nuremberg, DE: Kissingen, Germany: WEKA Fachzeitschriften Verlag.

[6] DCP - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from https://wiki.wireshark.org/PROFINET/DCP.

[7] LLDP - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from https://wiki.wireshark.org/LinkLayerDiscoveryProtocol.

[8] AddressResolutionProtocol - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from https://wiki.wireshark.org/AddressResolutionProtocol.

[7] 3.17. The “Packet List” Pane. (n.d.). Retrieved April 26, 2019, from https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketListPaneSection.html.

[8] 3.18. The “Packet Details” Pane. (n.d.). Retrieved April 26, 2019, from https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html

[9] 3.19. The “Packet Bytes” Pane. (n.d.). Retrieved April 26, 2019, from https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketBytesPaneSection.html

Headquarters

Germany Hilscher Gesellschaft für

Systemautomation mbH Rheinstrasse 15 65795 Hattersheim Phone: +49 (0) 6190 9907-0 Fax: +49 (0) 6190 9907-50 E-Mail: [email protected] Support Phone: +49 (0) 6190 9907-99 E-Mail: [email protected]

Subsidiaries

China Japan Hilscher Systemautomation (Shanghai) Co. Ltd. Hilscher Japan KK 200010 Shanghai Tokyo, 160-0022 Phone: +86 (0) 21-6355-5161 Phone: +81 (0) 3-5362-0521 E-Mail: [email protected] E-Mail: [email protected] Support Support Phone: +86 (0) 21-6355-5161 Phone: +81 (0) 3-5362-0521 E-Mail: [email protected] E-Mail: [email protected]

France Korea Hilscher France S.a.r.l. Hilscher Korea Inc. 69500 Bron Suwon, 443-810 Phone: +33 (0) 4 72 37 98 40 Phone: +82-31-204-6190 E-Mail: [email protected] E-Mail: [email protected] Support Phone: +33 (0) 4 72 37 98 40 Switzerland E-Mail: [email protected] Hilscher Swiss GmbH 4500 Solothurn India Phone: +41 (0) 32 623 6633 Hilscher India Pvt. Ltd. E-Mail: [email protected] New Delhi - 110 025 Support Phone: +91 11 40515640 Phone: +49 (0) 6190 9907-99 E-Mail: [email protected] E-Mail: [email protected]

Italy USA Hilscher Italia srl Hilscher North America, Inc. 20090 Vimodrone (MI) Lisle, IL 60532 Phone: +39 02 25007068 Phone: +1 630-505-5301 E-Mail: [email protected] E-Mail: [email protected] Support Support Phone: +39 02 25007068 Phone: +1 630-505-5301 E-Mail: [email protected] E-Mail: [email protected]