Double Profinet packets logged by Wireshark

asked 2020-02-21 11:09:50 +0000

Profinet_Mark gravatar image

I am analyzing traffic of my Profinet network, made of:

  • S7-1200 CPU;

  • Slave device with OS WES7;

  • ETH switch.

My Slave device, from which I run Wireshark v.3.2.1, has 5 ETH ports but the analysis via Wireshark is done on the correct and only active port, which connects the Slave device to the ETH switch.

Why in my Wireshark logs I see that outbound PNIO packets are logged twice, while inbound packets are logged once?

If I log the inbound and outbound traffic of the ETH port to which the Slave device is connected using a switch with a mirrored port and Wireshark v.3.2.1 installed on an external PC, Wireshark logs show that the packets are actually sent only once from the device (not twice as the wireshark logs collected from the device itself had reported).

edit retag flag offensive close merge delete

Comments

What is the OS on the slave device?

Note that capturing on an endpoint, i.e. a "local capture" can cause issues, see here for more info.

grahamb gravatar imagegrahamb ( 2020-02-21 11:15:07 +0000 )edit

The OS is Windows Embedded Standard 7, SP1. Thanks for the link! But I don't see any reference to outbound packets sent twice. My Slave device already uses WinPCAP in order to run the Profinet Stack. If I run the same test on another Slave device which uses the same Profinet Stack and OS but a different Embedded PC with a single ETH port, I get one outbound packet. I would really want to know what makes Wireshark log the Outbound packet twice with the 5 ETH port device: any experience regarding this?

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-21 11:37:49 +0000 )edit

To be pedantic, Wireshark doesn't log anything, that's the capture library, usually npcap for Wireshark 3.2.1, but that version will work with WinPcap, if npcap isn't installed.

I'm not sure if anyone has reported double packets before, there have been a few reports of no packets, usually due to a firewall\VPN\AV issue.

Can you confirm you're only capturing on a single interface? Can you post the text of the Help -> About Wireshark -> Wireshark dialog?

grahamb gravatar imagegrahamb ( 2020-02-21 11:55:58 +0000 )edit

I can confirm that I am capturing on a single interface (which is one of the ETH ports, the only one which is connected to the ETH switch). I have no AV installed on my slave device, and I don't use any VPN service.

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-21 13:09:33 +0000 )edit

Here is the content of the About dialog.

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-21 13:15:12 +0000 )edit
see more comments