capturing profinet with wireshark - knowledgebase

Introduction 2/55

Capturing PROFINET with Wireshark DOC190402AN01EN | Revision 1 | English | 2019-10 | Released | Public © Hilscher, 2019

Table of Contents

1 Introduction ............................................................................................................................................. 3 1.1 About this Document ...................................................................................................................... 3 1.2 List of Revisions ............................................................................................................................. 3 1.3 Terms, Abbreviations and Definitions ............................................................................................ 4 1.4 Legal Notes .................................................................................................................................... 5

1.4.1 Copyright ........................................................................................................................................... 5 1.4.2 Important Notes ................................................................................................................................. 5 1.4.3 Exclusion of Liability .......................................................................................................................... 6 1.4.4 Export Regulations ............................................................................................................................ 6 1.4.5 Registered Trademarks ..................................................................................................................... 6

2 Descriptions and Requirements ........................................................................................................... 7 2.1 Descriptions.................................................................................................................................... 7 2.2 Structure for network recording ...................................................................................................... 7 2.3 Network capturing .......................................................................................................................... 8

3 Wireshark ................................................................................................................................................ 9 3.1 Introduction ..................................................................................................................................... 9 3.2 History ............................................................................................................................................ 9 3.3 Technical Details .......................................................................................................................... 10

4 First Steps ............................................................................................................................................. 11 4.1 Installing the Wireshark software ................................................................................................. 11

4.1.1 Overview ......................................................................................................................................... 11 4.1.2 Requirements for installing Wireshark ............................................................................................. 11 4.1.3 Where to get Wireshark ................................................................................................................... 12 4.1.4 Step-by-Step instructions ................................................................................................................ 12 4.1.5 Update Wireshark ............................................................................................................................ 21 4.1.6 Update WinPcap ............................................................................................................................. 21 4.1.7 Update Npcap ................................................................................................................................. 21 4.1.8 Uninstall Wireshark.......................................................................................................................... 21 4.1.9 Uninstall WinPcap ........................................................................................................................... 21 4.1.10 Uninstall Npcap ............................................................................................................................... 21 4.1.11 Uninstall USBPcap .......................................................................................................................... 21

4.2 Start Wireshark............................................................................................................................. 22 4.3 Welcome Screen .......................................................................................................................... 22

4.3.1 Menu ............................................................................................................................................... 23 4.3.2 Toolbar ............................................................................................................................................ 23 4.3.3 Wireshark Filter ............................................................................................................................... 23 4.3.4 “Packet List” Pane ........................................................................................................................... 25 4.3.5 “Packet Details” Pane ...................................................................................................................... 26 4.3.6 “Packet Bytes” Pane ........................................................................................................................ 27

5 PROFINET ............................................................................................................................................. 28 5.1 Introduction to PROFINET ........................................................................................................... 28

5.1.1 Conformance Classes ..................................................................................................................... 28 5.1.2 RT and IRT in comparison ............................................................................................................... 28

5.2 Hardware structure for a PROFINET data analysis ..................................................................... 31 5.3 Capturing and analysing network traffic ....................................................................................... 33 5.4 Settings for recording with Wireshark .......................................................................................... 35 5.5 Recording network traffic ............................................................................................................. 39 5.6 How to decode cyclic PROFINET frames? .................................................................................. 40

5.6.1 Introduction ...................................................................................................................................... 40 5.6.2 PROFINET Process Data Telegram Structure ................................................................................ 40 5.6.3 Decoding Example .......................................................................................................................... 41

6 Appendix ............................................................................................................................................... 52 6.1 List of Figures ............................................................................................................................... 52 6.2 List of Tables ................................................................................................................................ 53 6.3 Bibliography.................................................................................................................................. 54 6.4 Contacts ....................................................................................................................................... 55

Introduction 3/55


1 Introduction

1.1 About this Document

This manual contains installation and network recording instructions for the devices using the

Wireshark program. This manual will explain the basics and also some of the features that

Wireshark provides. As Wireshark has become a very complex program since the early days, only

the basic feature of Wireshark can be explained in this manual. By reading this manual, you will

learn how to install Wireshark, how to use the basic elements of the graphical user interface (such

as the menu) and what’s behind some of the advanced features that are not always obvious at first

sight.

1.2 List of Revisions

Table 1: List of Revisions

Rev Date Chapter Revision

1 22.10.2019 all created

Introduction 4/55


1.3 Terms, Abbreviations and Definitions

Table 2: Terms, Abbreviations and Definitions

Term Description

ASIC application-specific integrated circuit

ATM Asynchronous Transfer Mode

BSD Berkeley Software Distribution

CFI Canonical Format ID

FDDI Fiber Distributed Data Interface

GNU Unix-like operating system

GUI graphical user interface

IEEE 802.1q networking standard that supports virtual LANs (VLANs) on an IEEE 802.3 Ethernet network

IP Internet Protocol

IrDA Infrared Data Association

IRT Isochronous real time

LAN Local Area Network

macOS graphical operating systems

mbH mit begrentzter Haftung

Npcap Windows version of the libpcap library

PCP Priority Code Point

PPP Point-to-Point Protocol

PTCP Precision Transparent Clock Protocol

RAM Random-Access Memory

RT Real Time

TCI Tag Control Information

TCP Transmission Control Protocol

TPID Tag Protocol Identifier

USB Universal Serial Bus

USBPcap open-source USB sniffer for Windows

VID Virtual Local Area Network ID (VLAN ID)

VLAN Virtual Local Area Network

WinPcap open source library for packet capture and network analysis for Windows

WLAN Wireless Local Area Network

Introduction 5/55


1.4 Legal Notes

1.4.1 Copyright

© Hilscher Gesellschaft für Systemautomation mbH

All rights reserved.

The images, photographs and texts in the accompanying material (user manual, accompanying

texts, documentation, etc.) are protected by German and international copyright law as well as

international trade and protection provisions. You are not authorized to duplicate these in whole or

in part using technical or mechanical methods (printing, photocopying or other methods), to

manipulate or transfer using electronic systems without prior written consent. You are not permitted

to make changes to copyright notices, markings, trademarks or ownership declarations. The

included diagrams do not take the patent situation into account. The company names and product

descriptions included in this document may be trademarks or brands of the respective owners and

may be trademarked or patented. Any form of further use requires the explicit consent of the

respective rights owner.

1.4.2 Important Notes

The user manual, accompanying texts and the documentation were created for the use of the

products by qualified experts, however, errors cannot be ruled out. For this reason, no guarantee

can be made and neither juristic responsibility for erroneous information nor any liability can be

assumed. Descriptions, accompanying texts and documentation included in the user manual do

not present a guarantee nor any information about proper use as stipulated in the contract or a

warranted feature. It cannot be ruled out that the user manual, the accompanying texts and the

documentation do not correspond exactly to the described features, standards or other data of the

delivered product. No warranty or guarantee regarding the correctness or accuracy of the

information is assumed.

We reserve the right to change our products and their specification as well as related user

manuals, accompanying texts and documentation at all times and without advance notice, without

obligation to report the change. Changes will be included in future manuals and do not constitute

any obligations. There is no entitlement to revisions of delivered documents. The manual delivered

with the product applies.

Hilscher Gesellschaft für Systemautomation mbH is not liable under any circumstances for direct,

indirect, incidental or follow-on damage or loss of earnings resulting from the use of the information

contained in this publication.

Introduction 6/55


1.4.3 Exclusion of Liability

The software was produced and tested with utmost care by Hilscher Gesellschaft für

Systemautomation mbH and is made available as is. No warranty can be assumed for the

performance and flawlessness of the software for all usage conditions and cases and for the

results produced when utilized by the user. Liability for any damages that may result from the use

of the hardware or software or related documents, is limited to cases of intent or grossly negligent

violation of significant contractual obligations. Indemnity claims for the violation of significant

contractual obligations are limited to damages that are foreseeable and typical for this type of

contract.

It is strictly prohibited to use the software in the following areas:

for military purposes or in weapon systems;

for the design, construction, maintenance or operation of nuclear facilities;

in air traffic control systems, air traffic or air traffic communication systems;

in life support systems;

in systems in which failures in the software could lead to personal injury or injuries leading to

death.

We inform you that the software was not developed for use in dangerous environments requiring

fail-proof control mechanisms. Use of the software in such an environment occurs at your own risk.

No liability is assumed for damages or losses due to unauthorized use.

1.4.4 Export Regulations

The delivered product (including the technical data) is subject to export or import laws as well as

the associated regulations of different counters, in particular those of Germany and the USA. The

software may not be exported to countries where this is prohibited by the United States Export

Administration Act and its additional provisions. You are obligated to comply with the regulations at

your personal responsibility. We wish to inform you that you may require permission from state

authorities to export, re-export or import the product.

1.4.5 Registered Trademarks

Windows® 7, Windows® 8 and Windows® 10 are registered trademarks of Microsoft Corporation.

Wireshark® and the "fin" -Logo is a registered trademark of Gerald Combs.

Adobe-Acrobat® is a registered trademark of the Adobe Systems Incorporated.

EtherCAT® is a registered trademark of Beckhoff Automation GmbH, Verl, Germany, formerly

Elektro Beckhoff GmbH.

PROFIBUS® und PROFINET® are registered trademarks of PROFIBUS International, Karlsruhe.

All other mentioned trademarks are property of their respective legal owners.

Descriptions and Requirements 7/55


2 Descriptions and Requirements

2.1 Descriptions

This chapter describes the most important steps in short form for a recording with Wireshark.

Chapter 4: First Steps explains the steps how to download the Wireshark program. In addition, this

chapter describes how to update or uninstall Wireshark in addition to installing.

In the following, there is a closer look at the user interface of Wireshark and the most important

functions of the user interface are explained.

Chapter 5: PROFINET starts into the PROFINET topic and gives an overview and shows with an

example of how an analysis of the PROFINET data frames works.

2.2 Structure for network recording

In the following you will find two possibilities to build the hardware to capture a Wireshark trace.

If no netANALYZER is available, the structure should be as follows:

Figure 1: Network Capture with Port-mirroring switch

PROFINET Controller

PC with Wireshark

PROFINET IRT Switch with Port mirroring

PROFINET Device PROFINET Device

Descriptions and Requirements 8/55


Further information on why port mirroring is used can be found in chapter 5.2: Hardware structure

for a PROFINET data analysis.

For a recording with the netANALYZER, which captures all frames in contrast to the IRT switch,

the structure is:

Figure 2: Network Capture with netANALYZER

Further information how the netANALYZER is used can be found in chapter 5.2: Hardware

structure for a PROFINET data analysis.

2.3 Network capturing

Start the Wireshark capturing, after the preparation for a data analysis with Wireshark has been

made. In the following, you will find the steps to capture a trace in a short form:

Switch off PROFINET Controller/Device

Click on the button

Switch on Controller/Device

Wait until Controller/Device has booted up and exchanged data

Stop capturing with the button

Save capture with the button

For more detailed explanations, see chapter 5.5: Recording network traffic.

netANALYZER PROFINET Controller

PC with Wireshark


Wireshark 9/55


3 Wireshark

3.1 Introduction

Wireshark (“wire” and “shark”) is a free and open source packet analyser. It is used for network

troubleshooting, analysis, software and communications protocol development, and education.

Originally named Ethereal, the project was renamed Wireshark in May 2006 due to trademark

issues.

Wireshark is cross-platform, using the Qt widget toolkit in current releases to implement its user

interface, and using pcap to capture packets; it runs on Linux, macOS, BSD, Solaris, some other

Unix-like operating systems, and Microsoft Windows. There is also a terminal-based (non-GUI)

version called TShark. Wireshark, and the other programs distributed with it such as TShark, are

free software, released under the terms of the GNU General Public License.

3.2 History

In late 1997 Gerald Combs needed a tool for tracking down network problems and wanted to learn

more about networking so he started writing Ethereal (the original name of the Wireshark project)

as a way to solve both problems.

Ethereal was initially released after several pauses in development in July 1998 as version 0.2.0.

Within day’s patches, bug reports, and words of encouragement started arriving and Ethereal was

on its way to success.

Not long, after that Gilbert Ramirez saw its potential and contributed a low-level dissector to it.

In October, 1998 Guy Harris was looking for something better than tcpview so he started applying

patches and contributing dissectors to Ethereal.

In late 1998 Richard Sharpe, who was giving TCP/IP courses, saw its potential on such courses

and started looking at it to see if it supported the protocols he needed. While it did not at that point

new protocols could be easily added. Therefore, he started contributing dissectors and contributing

patches.

The list of people who have contributed to the project has become very long since then, and almost

all of them started with a protocol that they needed that Wireshark or did not already handle.

Therefore, they copied an existing dissector and contributed the code back to the team.

When Gerald Combs switched from Ethereal Software Inc. to CACE Technologies, he launched

his own follow-up project and named it in 2006 Wireshark.

In 2006, the project moved house and re-emerged under a new name: Wireshark.

The first version of Wireshark was released on June 7, 2006 with the version number 0.99.1. The

precursor, Ethereal, is still available in version 0.99.0, but is no longer being developed.

In 2008, after ten years of development, Wireshark finally arrived at version 1.0. This release was

the first deemed complete, with the minimum features implemented. Its release coincided with the

first Wireshark Developer and User Conference, called Sharkfest.

Wireshark version 2.0 was released on November 19, 2015. The whole program was switched to

Qt and provided with a new, more intuitive interface. [1]

On February 28, 2019 Wireshark has been released in version 3.0. Wireshark 3.0 has now an IP

map in a modernized representation. Wireshark can also be created with reproducible builds. In

Wireshark 10/55


addition, the Qt version has been updated compared to the last final Wireshark version. The

Windows version installs now Npcap instead of WinPcap.

Figure 3: Official logo of the Wireshark Company

3.3 Technical Details

The Wireshark tool either displays the data in the form of individual packets during or after the

recording of data traffic from a network interface. The data is processed in a clearly arranged

manner with filters adapted to the respective protocols. Wireshark can also create statistics on the

data flow or use special filters to selectively extract binary content.

Network interfaces whose traffic can be analysed are primarily Ethernet with the various Internet

protocol families such as TCP/IP. In addition, Wireshark can also record and analyse wireless

traffic in the Wireless Local Area Network (WLAN) and Bluetooth connections. Using appropriate

modules, further common interfaces such as USB can be integrated into Wireshark. On Microsoft

Windows, Wireshark records traffic transparently using WinPcap. The prerequisite for this is

always that the respective computer on which Wireshark is operated has the corresponding

physical interfaces and the user has corresponding access authorizations for these interfaces.

In addition to the graphical Wireshark version, there is the TShark, which is based on the same

network code and is controlled by command line options. For both versions, the recording format of

the measured data was taken from tcpdump. Nevertheless, Wireshark can additionally import the

formats of other LAN analysers.

First Steps 11/55


4 First Steps

4.1 Installing the Wireshark software

4.1.1 Overview

This section describes how to install the Wireshark software on your development PC.

4.1.2 Requirements for installing Wireshark

General requirements

Operating system: Windows® 10, Windows® 8/8.1, Windows® 7, Windows® Vista,

Windows® Server 2016, Windows® Server 2012 R2, Windows® Server 2012, Windows®

Server 2008 R2 or Windows® Server 2008

Access to the internet is required for downloading “third-party” development tools like e.g.

WinPcap and USBPcap.

If applicable:

Uninstall previous versions of Wireshark from your development PC

Hardware requirements of development PC

Processor: Any modern 64-bit AMD64/x86-64 or 32-bit x86 processor.

RAM: 400 Mbyte min., larger capture files require more RAM.

Free hard disk space: 300 MByte min., Capture files require additional disk space.

Graphic resolution: 1024 x 768 pixels (1280 × 1024 or higher recommended) resolution with

at least 16-bit colour. 8-bit colour should work but user experience will be degraded. Power

users will find multiple monitors useful.

Network card: A supported network card for capturing

o Ethernet. Any card supported by Windows should work.

o 802.11. Capturing raw 802.11 information may be difficult without special

equipment.

o other media. These are ATM, Bluetooth, CiscoHDL, Ethernet, FDDI, FrameRelay,

IrDA, Loopback, ppp, TokenRing, USB, VLAN and WLAN.

Older versions of Windows, which are outside Microsoft’s extended lifecycle support window, are

no longer supported. It is often difficult or impossible to support these systems due to

circumstances beyond the control of Wireshark, such as third party libraries on which Wireshark

depend or due to necessary features that are only present in newer versions of Windows (such as

hardened security or memory management).

First Steps 12/55


4.1.3 Where to get Wireshark

You can get the latest copy of the program from the Wireshark website at

https://www.wireshark.org/download.html. The download page should automatically highlight the

appropriate download for your platform and direct you to the nearest mirror. The Wireshark

Foundation signs official Windows and macOS installers.

A new Wireshark version typically becomes available each month or two.

4.1.4 Step-by-Step instructions

Windows Installer names contain the platform and the version. For example, Wireshark-win64-

2.6.7.exe installs Wireshark version 2.6.7 for 64-bit Windows. The Wireshark installer includes the

WinPcap tool, which is required for packet capture, up to V2.9.0. Since V3.0.0 the program Npcap

is used instead of WinPcap.

Simply download the Wireshark installer from https://www.wireshark.org/download.html and

execute it. The Wireshark Foundation signs official packages. You can choose to install several

optional components and select the location of the installed package. The default settings are

recommended for most users.

Download Wireshark on your development PC.

Figure 4: Download the Wireshark installer

Install Wireshark on your development PC.

Double-click the Wireshark installer Wireshark-winXX-X.X.X.exe file.

https://www.wireshark.org/download.html

https://www.wireshark.org/download.html

First Steps 13/55


The Wireshark setup starts:

Figure 5: Setup Wireshark start screen

Click Next button.

The End-User License Agreement window opens:

Figure 6: End-User License Agreement screen

Click I Agree button.

First Steps 14/55


Figure 7: Wireshark components screen

Click or unclick in front of the components you want to install, then click Next button.

Figure 8: Wireshark additional tasks screen

Click or unclick in front of the additional tasks you want to set, then click Next button.

First Steps 15/55


The destination folder dialog opens:

Figure 9: Installation path dialog window

Accept the default path or click the Browse button to choose a different target directory for

your Wireshark installation, then click Next button.

Figure 10: Wireshark packet capture window

Wireshark requires either Npcap or WinPcap to capture live network data. Use Add/Remove

Programs first to uninstall any undetected old WinPcap- and Npcap versions, then Check

the box in front Install Npcap, then click Next button.

If a recording is to be carried out with netANALYZER, the checkbox in front of Install Npcap

must be deactivated. Then select Next button.

First Steps 16/55


Figure 11: Wireshark USB capture window

Wireshark requires either Npcap or WinPcap to capture live network data. USBPcap is not

needed for a Wirehsark recording with Ethernet and therefore does not have to be installed.

Then uncheck the box before Install USBPcap. Then select Next button.

The Installing Wireshark window opens:

Figure 12: Wireshark installing screen

First Steps 17/55


The Npcap License Agreement window opens:

Figure 13: Npcap License Agreement screen

Click Next button.

Figure 14: Npcap installing screen

Check the box next to Support loopback traffic ("Npcap Loopback Adapter" will be

created) and then select the Install button.

First Steps 18/55


Figure 15: Npcap installing screen

After successful Npcap installation, the Completed Npcap Setup Wizard message appears:

Figure 16: Npcap Setup completed window

Click Finish button.

First Steps 19/55


Figure 17: Npcap Setup completed window (repeated)

You have Npcap installed on your PC.

The Installing Wireshark window opens:

Figure 18: Wireshark installing screen

Wireshark is being installed on your development PC.

First Steps 20/55


Figure 19: Installation complete screen

After successful Wireshark installation, the Completing Wireshark Setup message appears:

Figure 20: Setup completed window

Click Finish button.

You have installed Wireshark on your PC. You now need to reboot the development PC to

complete the installation.

First Steps 21/55


4.1.5 Update Wireshark

By default, the official Windows package will check for new versions and notify you when they are

available.

New versions of Wireshark are usually released every four to six weeks. Updating Wireshark is

done the same way as installing it. Simply download and start the installer exe. A reboot is usually

not required and all your personal settings remain unchanged.

4.1.6 Update WinPcap

New versions of WinPcap are no longer available. For instructions and more information about

WinPcap, visit the WinPcap Web site at https://www.winpcap.org.

4.1.7 Update Npcap

New versions of Npcap are less frequently available. You will find Npcap update instructions the

Npcap web site at https://nmap.org/npcap. You may have to reboot your machine after installing a

new Npcap version.

4.1.8 Uninstall Wireshark

You can uninstall Wireshark using the Programs and Features control panel. Select the

“Wireshark” entry to start the uninstallation procedure.

The Wireshark uninstaller provides several options for removal. The default is to remove the core

components but keep your personal settings, USBPcap and WinPcap. USBPcap and WinPcap are

left installed by default in case other programs need it.

4.1.9 Uninstall WinPcap

You can uninstall WinPcap independently of Wireshark using the WinPcap entry in the Programs

and Features control panel. Remember that if you uninstall WinPcap, the Npcap program must be

installed, otherwise you won’t be able to capture anything with Wireshark.

4.1.10 Uninstall Npcap

Npcap can be uninstalled independently of Wireshark with the Npcap entry in the Programs and

Features Control Panel. It should be noted, that when uninstalling Npcap, the program WinPcap

must be installed in order to ensure recording with Wireshark.

4.1.11 Uninstall USBPcap

USBPcap can be uninstalled independently of Wireshark with the USBPcap entry in the Programs

and Features Control Panel. It should be noted, that when USBPcap is uninstalled, USB Traffic

with Wireshark cannot be captured. This is not required for the application of Wireshark network

recording with Ethernet.

https://www.winpcap.org/

https://nmap.org/npcap

First Steps 22/55


4.2 Start Wireshark

In the following chapters, some screenshots from Wireshark will be shown. As Wireshark runs on

many different platforms with many different window managers, different styles applied and there

are different versions of the underlying GUI toolkit used, your screen might look different from the

provided screenshots. But as there are no real differences in functionality these screenshots

should still be well understandable.

4.3 Welcome Screen

After starting Wireshark, the following window opens:

Figure 21: Wireshark welcome screen

The main window shows Wireshark as you would usually see it after some packets are captured or

loaded (how to do this will be described later).

Wireshark’s main window consists of parts that are commonly known from many other GUI

programs.

1. The menu (see 4.3.1: Menu) is used to start actions.

2. The main toolbar (see 4.3.2: Toolbar) provides quick access to frequently used items

from the menu.

3. The filter toolbar (see 4.3.3: Wireshark Filter) provides a way to directly manipulate the

currently used display filter.

4. The packet list pane (see 4.3.4: “Packet List” Pane) displays a summary of each packet

captured. By clicking on packets in this pane you control what is displayed in the other

two panes.

5. The packet details pane (see 4.3.5: “Packet Details” Pane) displays the packet selected

in the packet list pane in more detail.

First Steps 23/55


6. The packet bytes pane (see 4.3.6: “Packet Bytes” Pane) displays the data from the

packet selected in the packet list pane, and highlights the field selected in the packet

details pane.

7. The status bar shows some detailed information about the current program state and the

captured data. [2]

4.3.1 Menu

Wireshark’s main menu is located in Windows at the top of the main window. An example is shown

in Figure 22: The menu.

NOTE: Some menu items will be disabled (greyed out) if the corresponding feature isn’t

available. For example, you cannot save a capture file if you haven’t captured or

loaded any packets.

Figure 22: The menu

4.3.2 Toolbar

The main toolbar provides quick access to frequently used items from the menu. This toolbar

cannot be customized by the user, but it can be hidden using the View menu if the space on the

screen is needed to show more packet data.

Items in the toolbar will be enabled or disabled (greyed out) similar to their corresponding menu

items. For example, in the image below shows the main window toolbar after a file has been

opened. Various file-related buttons are enabled, but the stop capture button is disabled because a

capture is not in progress.

Figure 23: The Wireshark toolbar

4.3.3 Wireshark Filter

4.3.3.1 Distributed Computing Environment/Remote Procedure Call (DCE/RPC)

If you want to show only the DCE/RPC based traffic (both connection oriented and connectionless)

use following filter:

dcerpc

DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an

over-the-network protocol.

First Steps 24/55


A DCE/RPC server's endpoint mapper (EPMAP) will listen for incoming calls. A client will call this

endpoint mapper and ask for a specific interface, which will be accessed on a different connection.

After that, the client can request calls to the server.

Because of that, you cannot simply capture from a specific TCP port to see all traffic, as there are

more connections used.

DCE/RPC can run atop a number of protocols, including:

TCP: Typically, connection oriented DCE/RPC uses TCP as its transport protocol. The

well-known TCP port for DCE/RPC EPMAP is 135. This transport is called ncacn_ip_tcp.

UDP: Typically, connectionless DCE/RPC uses UDP as its transport protocol. The well-

known UDP port for DCE/RPC EPMAP is 135. This transport is called ncadg_ip_udp.

SMB: Connection oriented DCE/RPC can also use authenticated named pipes on top

of SMB as its transport protocol. This transport is called ncacn_np.

SMB2: Connection oriented DCE/RPC can also use authenticated named pipes on top

of SMB2 as its transport protocol. This transport is called ncacn_np. [3]

4.3.3.2 PROFINET Real-Time Protocol (PN-RT)

If you want to show only the communications using PN-RT bypass the standard TCP/IP interface

use following filter:

pn_rt

PROFINET RT is one of the protocols of the PROFINET family. It used for real time cyclic data

transfer with Industrial Programmable Logic Controllers. Communications using PN-RT bypass the

standard TCP/IP interface provided by PROFINET to provide high-speed communications of up to

12 MBaud. Specifically it was designed for time critical discrete input/output and message transfer.

[4]

4.3.3.3 PROFINET Precision Time Control Protocol (PN-PTCP)

The Precision Time Control Protocol (PTCP) is a protocol definition within the PROFINET context.

It is a link layer based protocol to synchronize clock/time signals over several PLCs. If you want to

show only the PTCP communications, use following filter:

pn_ptcp

PROFINET IO defines the PTCP to share the time reference among IO-Controllers. According to

PTCP, the clocks in IO-Controllers are organized in a master-slave synchronization hierarchy with

a grandmaster clock at top that determines the reference time for the complete system. The

synchronization is accomplished by exchanging PTCP timing messages between slaves and their

master. Slave clocks use the timing information to adjust their clocks, i.e., keep synchronized with

their timing masters. [5]

First Steps 25/55


4.3.3.4 PROFINET Discovery and basic Configuration Protocol (PN-DCP)

The Discovery and Basic Configuration Protocol DCP is a protocol definition within the PROFINET

context. It is a Data Link Layer based protocol to configure station names and IP addresses. It is

restricted to one subnet and mainly used in small and medium applications without an installed

DHCP server.

To show only the ARP packets, use following filter:

pn_dcp

You cannot directly filter PN-DCP protocols while capturing. [6]

4.3.3.5 Link Layer Discovery Protocol (LLDP)

The Link Layer Discovery Protocol (LLDP) is a vendor neutral layer 2 protocol that can be used by

a station attached to a specific LAN segment to advertise its identity and capabilities and to receive

it from a physically adjacent layer 2 peer.

To display only the LLDP based traffic use:

lldp

The transmission of the Link Layer Discovery Protocol (LLDP) is a one-way transmission in

multicast. A receipt will not be sent. This takes place in an interval of 30 seconds or another

specified distance. Shipping and receipt are independent. [7]

4.3.3.6 Address Resolution Protocol (ARP)

You will often see ARP packets at the beginning of a conversation, as ARP is the way these

addresses are discovered.

To show only the ARP packets, use following filter:

arp

The Address Resolution Protocol is used to dynamically discover the mapping between a layer 3

(protocol) and a layer 2 (hardware) address. A typical use is the mapping of an IP address (e.g.

192.168.0.10) to the underlying Ethernet address (e.g. 01:02:03:04:05:06).

In the common case, this table is for mapping Ethernet to IP addresses. This database is called the

ARP Table. Dynamic entries in this table are often cached with a timeout of up to 15 minutes,

which means that once a host has ARP for an IP address it will remember this for the next 15

minutes before it gets time to ARP for that address again. [8]

4.3.4 “Packet List” Pane

The packet list pane displays all the packets in the current capture file.

First Steps 26/55


Figure 24: The "Packet List" Pane

Each line in the packet list corresponds to one packet in the capture file. If you select a line in this

pane, more details will be displayed in 4.3.5 “Packet Details” Pane and 4.3.6 “Packet Bytes” Pane.

While dissecting a packet, Wireshark will place information from the protocol dissectors into the

columns. As higher level protocols might overwrite information from lower levels, you will typically

see the information from the highest possible level only.

There are a lot of different columns available.

The default columns will show:

[ No. ] The number of the packet in the capture file. This number won’t change,

even if a display filter is used.

[ Time ] The timestamp of the packet. The presentation format of this timestamp

can be changed.

[ Source ] The address where this packet is coming from.

[ Destination ] The address where this packet is going to.

[ Protocol ] The protocol name in a short (perhaps abbreviated) version.

[ Length ] The length of each packet.

[ Info ] Additional information about the packet content. [9]

4.3.5 “Packet Details” Pane

The packet details pane shows the current packet (selected in Figure 25: The "Packet Details"

pane) in a more detailed form.

Figure 25: The "Packet Details" pane

This pane shows the protocols and protocol fields of the packet selected in 4.3.4: “Packet List”

Pane.

The protocols and fields of the packet shown in a tree, which can be expanded and collapsed. [10]

First Steps 27/55


4.3.6 “Packet Bytes” Pane

The “Packet Bytes” pane shows a hex dump of the packet data. Each line contains the data offset,

sixteen hexadecimal bytes, and sixteen ASCII bytes. Non-printable bytes are replaced with a

period (“.”).

Depending on the packet data, sometimes more than one page is available, e.g. when Wireshark

has reassembled some packets into a single chunk of data. In this case you can see each data

source by clicking its corresponding tab at the bottom of the pane.

Figure 26: The “Packet Bytes” pane with tabs

Additional pages typically contain data reassembled from multiple packets or decrypted data.

The context menu (right mouse click) of the tab labels will show a list of all available pages. This

can be helpful if the size in the pane is too small for all the tab labels. [11]

PROFINET 28/55


5 PROFINET

5.1 Introduction to PROFINET

5.1.1 Conformance Classes

The range of functions of PROFINET IO is divided into well-organized “conformance classes”

(“CC” for short). These conformance classes provide a practical summary of the various minimum

properties.

Optional functions in PROFINET extend the conformance classes to include user functionalities

such as fast start-up (FSU), media redundancy (MRP), multiple access (Shared Device), and many

more.

There are three consecutive conformance classes that are geared to typical applications.

5.1.2 RT and IRT in comparison

PROFINET distinguishes between four Real-Time classes with differences regarding the

performance:

RT_Class_1: Real-Time (RT)

Devices limited to one network (no routing)

Using standard components (common hardware)

Typical cycle time of 1-32 ms

Suited for remote IO for PLCs (similar to PROFIBUS-DP)

RT_Class_2: not used anymore (IRT flexible)

Hardware support via Switch-ASIC

Deterministic cycle time and reduced jitter

Typical cycle of < 1ms and Jitter < 1µs

RT_Class_3: Isochronous Real-Time (IRT)

Planned communication traffic (time-table needed)

Also synchronized applications

Suited for motion control applications

RT_Class_UDP: unsynchronized (UDP)

Build on top of UDP to get full routing functionality

Typical cycle time of 100 ms

Suited for remote control applications

No implementation available at this time

PROFINET 29/55


Figure 27: Communication with RT and IRT

RT covers time requirements that correspond to those of today's fieldbuses. In contrast, IRT is

suitable for meeting requirements that are today only with special bus systems or even not

feasible. The differences in realization are shown in Figure 27: Communication with RT and IRT.

While the RT real-time variant is based on standard Ethernet cards, the IRT version uses a special

hardware component as an Ethernet controller that contains a switch. This block also supports RT

communication.

Both variants are divided into two parts:

Communication in a non-real-time channel (supports the TCP/IP protocol)

Communication in a real-time capable channel (works without the protocol TCP/IP)

The prerequisite for using the RT real-time variant is a collision-free Ethernet structure that uses

only switches. To ensure that the switches do not delay the real-time data unnecessarily, the

solution uses IEEE 802.1q prioritization mechanisms.

Real-time data for RT is given priority level 7, while other data, which also have high temporal

requirements, use level 5 and 6. Highest real-time requirements with a jitter of 1 μs cannot be

realized with the use of conventional Ethernet components.

PROFINET solves such requirements with IRT, which can be implemented with special hardware

devices (ASICs), such as the netX works. These ASICs not only contain an Ethernet controller, but

also have the full functionality of a switch. On the one hand, the user saves the usual separate

switches, and this variant also enables the formation of line structures, which are required in

automation for cost-effective cabling.

PROFINET 30/55


The main differences between RT and IRT:

Table 3: Comparison between RT and IRT

Attribute RT IRT

Transmission Prioritization of RT telegrams by

Ethernet prio (VLAN tag)

Reservation of the transmission

bandwidth by reserving a time

range in which only IRT

communication takes place and

e.g. no TCP/IP frames are

transmitted.

Determinism Variance of the transmission time

by sharing the transmission

bandwidth with other protocols (e.g.

TCP/IP)

Guaranteed transmission of the

IRT telegrams in the current cycle

by reserved transmission

bandwidth

Special hardware not necessary required

PROFINET 31/55


5.2 Hardware structure for a PROFINET data analysis

Some Ethernet switches (usually called "managed switches") have a monitor mode. This monitor

mode can dedicate a port to connect your Wireshark capturing device. Using the switch

management, you can select both the monitoring port and assign a specific port you wish to

monitor. Actual procedures vary between switch models. You may need to use a terminal

emulator, specialized SNMP client software or a Web browser. Caution: the monitoring port must

be at least as fast as the monitored port, or you could certainly lose packets.

Note that some switches might not support monitoring all traffic passing through the switch, only

traffic on a particular port. On those switches, you might not be able to capture all traffic on the

network, only traffic sent to or from some particular machine on the switch.

If there is no netANALYZER, there are two ways to record a Wireshark trace. For this purpose, it

must first be considered whether PROFINET IRT or RT should be recorded. The differences

between IRT and RT were explained in detail in the previous chapter 5.1.2: RT and IRT in

comparison.

The structure without netANALYZER can be done as follows:

Figure 28: Network Capture with Port-mirroring switch

PROFINET Device

PROFINET Controller

PROFINET Device

PC with Wireshark

Managed Switch with Port Mirroring

PROFINET 32/55


To record PROFINET IRT, an IRT switch must be used. With this mode, it is no longer sufficient to

use a low priced managed switch with port mirroring. An IRT switch is needed to handle the IRT

frames.

The structure looks like this:

Figure 29: Network Capture with IRT switch

Slave

PROFINET Controller

Slave

PC with Wireshark

PROFINET IRT Switch with Port mirroring

PROFINET 33/55


Port Mirroring is used on a network switch to send a copy of network packets displayed on one

switch port (or an entire VLAN) to a network monitor connection on another switch port.

We use port mirroring to analyze problems with a device or network load or to diagnose faults. It

can be used to mirror inbound or outbound traffic (or both) on one or more interfaces.

Figure 30: Network Capture with netANALYZER

With netANALYZER, you can record PROFINET process data and important communication

events of individual devices simply and without the need for parameterization. Connect the

netANALYZER to the PROFINET network and record the connection between controller and

devices with Wireshark or the included netANALYZER Scope software.

5.3 Capturing and analysing network traffic

You can use the netANALYZER cards and portable devices to record the timing, the network load

and the functions of individual systems or system components bus systems, which conform to the

PROFINET specification.

The netANALYZER devices analyse the data traffic in the communication and protocols the

arriving frames.


PC with Wireshark


PROFINET 34/55


This is schematically illustrated in the figure below:

Figure 31: Recording Scenario with netANALYZER Scope between Master and Slaves

Cabling can be done as follows:

Figure 32: Typical Application - The communication between a device and its connection

For devices with two Ethernet channels the analyser card NANL-C500-RE and the analyser device

NANL-B500G-RE capture the Ethernet frames and adds the time stamps to them. Therefore, the

netANALYZER device must be connected from any TAP to the Ethernet device connections via

two patch cables.

Since Wireshark 3.0, WinPcap has changed the default packet capture library to Npcap.

Unfortunately, Npcap currently does not support direct capture of netANALYZER devices.

Since newer versions of Wireshark can use the WinPcap library for capture, it is still possible to

use the netANALYZER directly from Wireshark.

Avoid installing Npcap simply while installing Wireshark by disabling "Install Npcap X.XX-rX" (see

Chapter 4.1.4: Step-by-Step instructions). Retain the existing WinPcap installation from the

netANALYZER Scope installation. Alternatively, you can download them later from the

manufacturer's website.

If Wireshark live recordings are desired, the WinPcap driver for netANALYZER must be installed.

The drivers and all required software can be found in the netANALYZER product DVD. It describes

the installation and the procedure with a netANALYZER.



PROFINET 35/55


5.4 Settings for recording with Wireshark

In order to ensure that the most important Ethernet telegrams are recorded, all the TCP/IP

protocols of unused Ethernet interfaces must be deactivated during the Ethernet measurement

with Wireshark.

Press the keyboard shortcut [Windows - R] to display the Run window.

The Run window starts:

Figure 33: Run window

Enter the command ncpa.cpl

Click OK button.

This command opens the network connections on your Windows PC.

All network connections opens.

Figure 34: Network Connections screen

PROFINET 36/55


In this example, a connection to Ethernet 2 is to be established. Depending on the network

connections, this connection is different and includes a different network card.

In the Network Connections window, click on the desired connection, which should not

establish communication with Wireshark.

Then select Disable this network device.

NOTE: Please note that the PC no longer has access to the Intranet or Internet after disabling

the network connection. Therefore, make sure that all-important connections to the

intranet or Internet were previously disconnected beforehand.

Disable all unused connections until only one connection remains.

Figure 35: Network connection screen with one connection

DHCP must not be activated in the TCP/IP protocol properties, as otherwise Ethernet telegrams

will also be sent sporadically via the same interface. For this purpose, DHCP is deactivated in the

Internet protocol by assigning a fixed IP address.

PROFINET 37/55


Double-click on the desired connection in the Network Connections window.

The window Ethernet status opens.

Figure 36: Status of the network connection

Click the button Properties in the bottom left of the Status window.

The window Properties opens.

Figure 37: Properties of the network connection

After selecting Internet Protocol version 4 (TCP/IPv4), click the Properties button.

PROFINET 38/55


Now enter a fixed IP address.

Figure 38: Properties of Internet Protocol version 4 (TCP/IPv4)

PROFINET 39/55


5.5 Recording network traffic

After the preparation for the data analysis with Wireshark has been made, the capturing starts. For

this it is advantageous if unnecessary packages will not captured.

To avoid errors in the configuration of the device, the trace is started when the device is started.

For this purpose, the device to be recorded is turned off first, if possible.

Then the program Wireshark is started. It opens the program and offers depending on the PC a

different number of recording options. Therefore, the network card to be recorded must be checked

and selected by clicking on the respective card.

With the click on the button the network traffic is recorded.

Afterwards, the device should be turned on while the network recording is still running and

recording the device boot-up.

The recording can be stopped in the toolbar with the symbol .

To save the recording, click on "File" in the upper left corner and then on "Save as ...“. Use the key

combination Ctrl + S or click on the symbol .

Then enter a name and the location and confirm it.

PROFINET 40/55


5.6 How to decode cyclic PROFINET frames?

5.6.1 Introduction

The following chapter describes the structure of the cyclic PROFINET Process Data Exchange

Telegrams. These telegrams are exchanged between a PROFINET IO-Device and PROFINET IO-

Controller to transfer the cyclic process data. These frames can be easily recorded in a proper

setup with the common tool Wireshark. A common mistake is to rely on Wireshark’s decoding

capability of these telegrams, as the Wireshark displays some information from these telegrams.

Unfortunately, old versions of Wireshark do not support proper decoding at all and newer version

require a proper network recording to show the correct values. Starting from version V2.x.x the

correct values are displayed. The following description shall provide a short introduction on manual

decoding of these telegrams.

5.6.2 PROFINET Process Data Telegram Structure

The general structure of a cyclic PROFINET process data telegram is shown in the following

image:

Figure 39: PROFINET process data telegram structure

The structure is based on a Layer-2 Ethernet Frame using VLAN Priority Tagging. While the VLAN

field is sent by every PROFINET IO-Device and IO-Controller it might be removed by intermediate

Network Switches. This must be considered when analysing the telegram. The C_SDU field

contains the data to be transferred. As the minimum size of an Ethernet Frame with VLAN is 64

Bytes, the C_SDU field is padded if its length is smaller than 40 bytes. The APDU Status field

contains the Cycle Counter and additional status bytes.

The C_SDU is composed of data items of two kinds:

IO Data Object

IOCS Object

Each data item is linked to a particular submodule. The IO Data Object consists of the process

data and the associated IOPS of the submodule. The IOCS Object contains just the IOCS of the

submodule. A C_SDU typically consists of several objects. The actual position of the process data

within the C_SDU is parameterized in RPC Connect Request at connection startup. Between two

adjacent items additional padding might be inserted. The structure of the data items is illustrated in

the following image. The length of the IOPS and IOCS is usually one byte.

PROFINET 41/55


VLAN TCI

DestAddr SrcAddr VLAN TPID

EtherType FrameID

Cycle Counter

DataStatus / Transferstatus

Data

Data

Data

SrcAddr

Figure 40: PROFINET process data item

5.6.3 Decoding Example

Figure 41: decoding example in Wireshark

0000 00 02 a2 21 90 9a 00 02 a2 24 2e 42 81 00 c0 00

0010 88 92 80 00 00 00 00 00 00 00 00 00 00 00 00 00

0020 00 00 8f ff 80 80 80 80 80 80 00 00 00 00 00 00

0030 00 00 00 00 00 00 00 00 00 00 00 00 2c 00 35 00

Figure 42: Structure of a PROFINET frame

Data

Data

Data

PROFINET 42/55


Table 4: PROFINET Frame

Name Description

DestAddr MAC destination address

SrcAddr MAC source address

VLAN TPID Tag Protocol Identifier (TPID): indicates the tag in the VLAN, always 0x8100

VLAN TCI Tag Control Information (TCI): contains the VLAN information

The TCI is divided into the following sections:

Priority Code Point (PCP): Value between 0 and 7, indicates the

priority of the telegram

Canonical Format ID (CFI): specifies the format of the information

VLAN ID (VID): indicates the number of the VLAN and defines the

membership of a VLAN

EtherType 0x8892 RT, IRT or time synchronization telegram

0x0806 VLAN tag

FrameID Contains the FrameID exchanged in the Connect (see Table 5: Frame-IDs)

Data Contains the following data:

Input-Data: IO-Device IO-Controller

Output-Data: IO-Device IO-Controller

Cycle Contains the number of cycles. Each cycle is 31.25 μs.

Data Status Bit0 (State):

1 = Primary, indicates the current transmission channel

Bit2 (DataValid):

1 = data is valid

0 = data is not valid, status only allowed during startup

Bit4 (ProcessState)

1 = process, from which the data comes, is running

Bit5 (ProblemIndicator)

1 = no problems

0 = problems exist

TransferStatus Value must always be 0

PROFINET 43/55


Table 5: Frame-IDs

Value Meaning

0000 – 00FF Time synchronization acyclic

0080 – 00FF Time synchronization acyclic

0100 – 7FFF RT class 3 frames cyclic (IRT)

8000 – BEFF RT class 2 frames cyclic unicast

BF00 – BFFF RT class 2 frames cyclic multicast

C000 – FAFF RT class 1 frames cyclic unicast

FB00 – FBFF RT class 1 frames cyclic multicast

FC00 – FCFF Acyclic data transfer high

FC01 PROFINET IO alarm high

FC02 PROFINET IO event high

FE00 – FEFF Acyclic data transfer low

FE01 PROFINET IO alarm low

FE02 PROFINET IO event low

Table 6: Time synchronization with IRT: Precision Transparent Clock Protocol (PTCP)

Value Meaning

0000 – 001F Acyclic RT sync telegram

0080 Cyclic RT sync telegram

FF00 Acyclic RT sync telegram (clock)

FF01 Acyclic RT sync telegram (time)

FF20 Acyclic RT FollowUp telegram (clock)

FF21 Acyclic RT FollowUp telegram (time)

FF22 – FF3F Acyclic RT FollowUp telegram

FF40 Acyclic RT DelayReq telegram

FF41 Acyclic RT DelayResp telegram

FF42 Acyclic RT FollowUpResp telegram

The following chapters describes the complete process of the process data telegram using an

example. The decoded frame is an input IOCR.

PROFINET 44/55


5.6.3.1 Extract Structure Information

The first step is to analyse the RPC Connect Service for the required structure information. This

can be done easily with the help of Wireshark. The following image shows the RPC Connect

Request and its parts required for decoding an Input IOCR telegram. The Input IOCR description

itself is marked in Red. It contains the Frame Id and the offsets of the data items within the

C_SDU. The lengths of the associated process data can be extracted from the Expected

Submodule Requests marked in Orange.

Figure 43: Reading the structure information of Wireshark

Decoding starts by creating a table containing all the offsets of the data items. That information is

to be extracted from the IOCR Block Request. In this case we're interested in the Input IOCR. The

assigned Frame Id is 0x8000. For Output IOCRs the FrameID must be extracted from the RPC

connect Response Frame, as the Output IOCR FrameId is assigned by the device.

PROFINET 45/55


The following image shows the IOCR Block Request of the desired Input IOCR:

Figure 44: Reading the slots/subslots of Wireshark

From that information, we create the following table:

Table 7: Table of all offsets

C SDU

Offset Kind API Slot Subslot

Length of

Data

Length of

Item

0 IO Data 0 0x0000 0x0001

1 IO Data 0 0x0000 0x8000

2 IO Data 0 0x0000 0x8001

3 IO Data 0 0x0000 0x8002

4 IOCS 0 0x0001 0x0001

5 IO Data 0 0x0002 0x0001 -

PROFINET 46/55


Now all offsets are known. Next step is to extract the sizes of the items. These lengths can be

extracted from the submodules which are described in the Expected Submodule Blocks. The first

Expected Submodule Block is shown in the following image:

Figure 45: Reading the data length of the subslots

From that information we can get the lengths of the data items for API 0 and Slot 0. Import point

here is to examine the correct Data Description element. Each submodule can be assigned one

Input- and one Output-Data Description. For the Input IOCR the Input Data Descriptions are

relevant for IO Data Items and the Output Data Descriptions are relevant for the IOCS items. Vice

Versa for Output IOCR. In the example all of the submodules of the first Expected Submodule

Block have zero length input data, one byte IOPS and one byte IOCS (IOPS/IOCS length is usually

one byte).

PROFINET 47/55


Table 8: Table of all offsets (continuation)

C SDU


Length of

Data

Length of

Item

0 IO Data 0 0x0000 0x0001 0 0 + 1

1 IO Data 0 0x0000 0x8000 0 0 + 1

2 IO Data 0 0x0000 0x8001 0 0 + 1

3 IO Data 0 0x0000 0x8002 0 0 + 1

4 IOCS 0 0x0001 0x0001

5 IO Data 0 0x0002 0x0001 -

We complete the table using the information from the remaining Expected Submodule Blocks:

Figure 46: Reading the data length of the submodule slots

PROFINET 48/55


Table 9: Complete Table of all offsets

C SDU


Length of

Data

Length of

Item

0 IO Data 0 0x0000 0x0001 0 0 + 1

1 IO Data 0 0x0000 0x8000 0 0 + 1

2 IO Data 0 0x0000 0x8001 0 0 + 1

3 IO Data 0 0x0000 0x8002 0 0 + 1

4 IOCS 0 0x0001 0x0001 1 1 + 1

5 IO Data 0 0x0002 0x0001 - 1

The table contains several IO Data objects with zero data length. These IO Data objects are the

result of the fact that in PROFINET a submodule without any process data is regarded as an Input

Submodule with zero length process data.

5.6.3.2 Decoding of Process Data Telegram

The last step is to decode the process data telegram using the table created above. The following

image shows a particular telegram of the Input IOCR. For the correct selection not only the Frame

Id shall be taken into account but also the Telegram's Source Mac Address, because the same

Frame Id might be used by different devices in RT mode. In the following image the frame #44 has

been selected for analysis.

PROFINET 49/55


Figure 47: Decoding the data telegram of Wireshark

The blue marked part is the C SDU (and padding) containing the actual process data. Based on

our table the following values can be extracted:

Table 10: Added Data and Status to the Table of all offsets

C SDU


Length

of Data

Length

of Item

Data Status

(IOPS/IOCS)

0 IO Data 0 0x0001 0x0000 16 16 + 1 0x00 0x00 0x00 0x00

0x00 0x00 0x00 0x00

0x10 0x01 0x00 0x00

0x00 0x00 0x8f 0xff

0x80

17 IO Data 0 0x0000 0x0000 0 0 + 1 - 0x80

18 IO Data 0 0x0000 0x8000 0 0 + 1 - 0x80

19 IO Data 0 0x0000 0x8001 0 0 + 1 - 0x80

20 IO Data 0 0x0000 0x8002 0 0 + 1 - 0x80

21 IOCS 0 0x0002 0x0001 - 1 - 0x80

The status value 0x80 indicates that the associated Process Data is valid in case of IO Data

Object. For the IOCS object it indicates that the Consumer of the associated Process Data is using

the data. (The associated process data is transferred in the opposite direction and thus not part of

PROFINET 50/55


this IOCR. In other words, in this case Slot 0x1, Subslot 0x1 is an Input Submodule and Slot 0x2,

Subslot 0x1 is an Output Submodule)

5.6.3.3 Remarks

PROFINET Process Data Exchange is covered by some additional constraints, which must be

obeyed by the device to ensure proper data exchange:

Some existing IO-Controllers (e.g. S7-300, S7-400) do not recognize IOPS changes from "BAD" to

"GOOD" after the RPC Application Ready Request. If that scenario occurs the IO-Device must

send a Return of Submodule Alarm to the IO-Controller.

The expected behaviour of an IO-Device is to delay the RPC Application Ready until all

Submodule IOPS and IOCS provided by the Device are set to “GOOD”. Afterwards the RPC

Application Ready Request is issued (PNS Application Ready Service). If the IO-Device cannot set

the IOPS to “GOOD” for a particular submodule for a specific reason (e.g. Invalid Parameters have

been transferred to the IO-Device), the device should set the submodule to state Application ready

pending (PNS Set Submodule State Service), add a diagnosis to the submodule and issue the

Application Ready Service. The RPC Application Ready Request will then contain a Module Diff

Block indicating a problem with the particular submodule. At some time point afterwards it might be

desired to set the IOPS of the submodule to GOOD. In that scenario the application shall reset the

submodule state (PNS Set Submodule State Service), remove the diagnosis and issue a Return Of

Submodule Alarm (PNS Return Of Submodule Service).

5.6.3.4 PROFINET Process Data Model

The PROFINET Protocol defines a Consumer - Provider model. The Process Data is generated by

the Provider and received by the Consumer. Additionally a Provider Status and a Consumer Status

is exchanged. Depending on the view either the IO-Controller or the IO-Device is the Consumer or

Provider. The following table tries to explain this in more detail. As usually, process data

transferred from the IO-Device to the IO-Controller is denoted as Input Data while process data

transferred from IO-Controller to IO-Device is denoted as Output Data. The last column in the table

describes the PROFINET IO-Device V3.x Configuration Packet variables associated with the

corresponding Element. The blue rows indicate data which is transferred from the IO-Device to the

IO-Controller while the green rows indicate data which is transferred from the IO-Controller to the

OP Device.

PROFINET 51/55


Table 11: PROFINET Process Data Model

Kind of Data Controller

View

Device

View

Associated

IOCR

(Telegram

on Network)

PROFINET

Device V3.x

Process

Data Image

PROFINET Device V3.x

Configuration Variables

Input

Data

Process Data

Consumer Provider Input IOCR

DPM Output

Area

Provider

Image

ulDPMOffsetOut

Provider

Status (IOPS)

ulProvImageIOPSOffset,

usOffsetIOPSProvider

Consumer

Status (IOCS) Provider Consumer Output IOCR DPM Input

Area

Consumer

Image

ulConsImageIOCSOffset,

usOffsetIOCSConsumer

Output

Data

Process Data

Provider Consumer Output IOCR

ulDPMOffsetIn

Provider

Status (IOPS)

ulConsImageIOPSOffset,

usOffsetIOPSConsumer

Consumer

Status (IOCS) Consumer Provider Input IOCR

DPM Output

Area

Provider

Image

ulProvImageIOCSOffset,

usOffsetIOCSProvider

Appendix 52/55


6 Appendix

6.1 List of Figures Figure 1: Network Capture with Port-mirroring switch ......................................................................................................... 7 Figure 2: Network Capture with netANALYZER .................................................................................................................. 8 Figure 3: Official logo of the Wireshark Company ............................................................................................................. 10 Figure 4: Download the Wireshark installer ....................................................................................................................... 12 Figure 5: Setup Wireshark start screen ............................................................................................................................. 13 Figure 6: End-User License Agreement screen ................................................................................................................ 13 Figure 7: Wireshark components screen ........................................................................................................................... 14 Figure 8: Wireshark additional tasks screen ...................................................................................................................... 14 Figure 9: Installation path dialog window .......................................................................................................................... 15 Figure 10: Wireshark packet capture window .................................................................................................................... 15 Figure 11: Wireshark USB capture window ....................................................................................................................... 16 Figure 12: Wireshark installing screen .............................................................................................................................. 16 Figure 13: Npcap License Agreement screen ................................................................................................................... 17 Figure 14: Npcap installing screen .................................................................................................................................... 17 Figure 15: Npcap installing screen .................................................................................................................................... 18 Figure 16: Npcap Setup completed window ...................................................................................................................... 18 Figure 17: Npcap Setup completed window (repeated) .................................................................................................... 19 Figure 18: Wireshark installing screen .............................................................................................................................. 19 Figure 19: Installation complete screen ............................................................................................................................. 20 Figure 20: Setup completed window ................................................................................................................................. 20 Figure 21: Wireshark welcome screen .............................................................................................................................. 22 Figure 22: The menu ......................................................................................................................................................... 23 Figure 23: The Wireshark toolbar ...................................................................................................................................... 23 Figure 24: The "Packet List" Pane .................................................................................................................................... 26 Figure 25: The "Packet Details" pane................................................................................................................................ 26 Figure 26: The “Packet Bytes” pane with tabs ................................................................................................................... 27 Figure 27: Communication with RT and IRT ..................................................................................................................... 29 Figure 28: Network Capture with Port-mirroring switch ..................................................................................................... 31 Figure 29: Network Capture with IRT switch ..................................................................................................................... 32 Figure 30: Network Capture with netANALYZER .............................................................................................................. 33 Figure 31: Recording Scenario with netANALYZER Scope between Master and Slaves ................................................. 34 Figure 32: Typical Application - The communication between a device and its connection .............................................. 34 Figure 33: Run window...................................................................................................................................................... 35 Figure 34: Network Connections screen ........................................................................................................................... 35 Figure 35: Network connection screen with one connection ............................................................................................. 36 Figure 36: Status of the network connection ..................................................................................................................... 37 Figure 37: Properties of the network connection ............................................................................................................... 37 Figure 38: Properties of Internet Protocol version 4 (TCP/IPv4) ....................................................................................... 38 Figure 39: PROFINET process data telegram structure .................................................................................................... 40 Figure 40: PROFINET process data item .......................................................................................................................... 41 Figure 41: decoding example in Wireshark ....................................................................................................................... 41 Figure 42: Structure of a PROFINET frame ...................................................................................................................... 41 Figure 43: Reading the structure information of Wireshark ............................................................................................... 44 Figure 44: Reading the slots/subslots of Wireshark .......................................................................................................... 45 Figure 45: Reading the data length of the subslots ........................................................................................................... 46 Figure 46: Reading the data length of the submodule slots .............................................................................................. 47 Figure 47: Decoding the data telegram of Wireshark ........................................................................................................ 49

Appendix 53/55


6.2 List of Tables Table 1: List of Revisions .................................................................................................................................................... 3 Table 2: Terms, Abbreviations and Definitions .................................................................................................................... 4 Table 3: Comparison between RT and IRT ....................................................................................................................... 30 Table 4: PROFINET Frame ............................................................................................................................................... 42 Table 5: Frame-IDs ........................................................................................................................................................... 43 Table 6: Time synchronization with IRT: Precision Transparent Clock Protocol (PTCP) .................................................. 43 Table 7: Table of all offsets ............................................................................................................................................... 45 Table 8: Table of all offsets (continuation)......................................................................................................................... 47 Table 9: Complete Table of all offsets ............................................................................................................................... 48 Table 10: Added Data and Status to the Table of all offsets ............................................................................................. 49 Table 11: PROFINET Process Data Model ....................................................................................................................... 51

Appendix 54/55


6.3 Bibliography

[1] Wireshark. (n.d.). 1.4. A brief history of Wireshark. Retrieved April 25, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html.

[2] 3.3. The Main window. (n.d.). Retrieved April 26, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChUseMainWindowSection.html.

[3] DCE/RPC - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from

https://wiki.wireshark.org/DCE/RPC.

[4] PROFINET/RT - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from

https://wiki.wireshark.org/PROFINET/RT.

[5] Zhang, L., Streubühr, M., Glaß, M., Teich, J., von Schwerin, A., & Liu, K. (2012). System-Level

Modeling and Simulation of Networked PROFINET IO Controllers. In Proc. of the Embedded

World Conference. Nuremberg, DE: Kissingen, Germany: WEKA Fachzeitschriften Verlag.

[6] DCP - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from

https://wiki.wireshark.org/PROFINET/DCP.

[7] LLDP - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from

https://wiki.wireshark.org/LinkLayerDiscoveryProtocol.

[8] AddressResolutionProtocol - The Wireshark Wiki. (n.d.). Retrieved April 26, 2019, from

https://wiki.wireshark.org/AddressResolutionProtocol.

[7] 3.17. The “Packet List” Pane. (n.d.). Retrieved April 26, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketListPaneSection.html.

[8] 3.18. The “Packet Details” Pane. (n.d.). Retrieved April 26, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketDetailsPaneSection.html

[9] 3.19. The “Packet Bytes” Pane. (n.d.). Retrieved April 26, 2019, from

https://www.wireshark.org/docs/wsug_html_chunked/ChUsePacketBytesPaneSection.html

Appendix 55/55


6.4 Contacts

Headquarters

Germany Hilscher Gesellschaft für Systemautomation mbH Rheinstrasse 15 65795 Hattersheim Phone: +49 (0) 6190 9907-0 Fax: +49 (0) 6190 9907-50 E-Mail: [email protected]

Support Phone: +49 (0) 6190 9907-99 E-Mail: [email protected]

Subsidiaries

China Hilscher Systemautomation (Shanghai) Co. Ltd. 200010 Shanghai Phone: +86 (0) 21-6355-5161 E-Mail: [email protected]

Support Phone: +86 (0) 21-6355-5161 E-Mail: [email protected]

France Hilscher France S.a.r.l. 69500 Bron Phone: +33 (0) 4 72 37 98 40 E-Mail: [email protected]

Support Phone: +33 (0) 4 72 37 98 40 E-Mail: [email protected]

India Hilscher India Pvt. Ltd. New Delhi - 110 025 Phone: +91 11 40515640 E-Mail: [email protected]

Italy Hilscher Italia srl 20090 Vimodrone (MI) Phone: +39 02 25007068 E-Mail: [email protected]

Support Phone: +39 02 25007068 E-Mail: [email protected]

Japan Hilscher Japan KK Tokyo, 160-0022 Phone: +81 (0) 3-5362-0521 E-Mail: [email protected]

Support Phone: +81 (0) 3-5362-0521 E-Mail: [email protected]

Korea Hilscher Korea Inc. Suwon, 443-810 Phone: +82-31-204-6190 E-Mail: [email protected]

Switzerland Hilscher Swiss GmbH 4500 Solothurn Phone: +41 (0) 32 623 6633 E-Mail: [email protected]

Support Phone: +49 (0) 6190 9907-99 E-Mail: [email protected]

USA Hilscher North America, Inc. Lisle, IL 60532 Phone: +1 630-505-5301 E-Mail: [email protected]

Support Phone: +1 630-505-5301 E-Mail: [email protected]

mailto:[email protected]
















capturing profinet with wireshark - knowledgebase

Documents