Double Profinet packets logged by Wireshark

asked 2020-02-21 11:09:50 +0000

Profinet_Mark gravatar image

I am analyzing traffic of my Profinet network, made of:

  • S7-1200 CPU;

  • Slave device with OS WES7;

  • ETH switch.

My Slave device, from which I run Wireshark v.3.2.1, has 5 ETH ports but the analysis via Wireshark is done on the correct and only active port, which connects the Slave device to the ETH switch.

Why in my Wireshark logs I see that outbound PNIO packets are logged twice, while inbound packets are logged once?

If I log the inbound and outbound traffic of the ETH port to which the Slave device is connected using a switch with a mirrored port and Wireshark v.3.2.1 installed on an external PC, Wireshark logs show that the packets are actually sent only once from the device (not twice as the wireshark logs collected from the device itself had reported).

edit retag flag offensive close merge delete

Comments

What is the OS on the slave device?

Note that capturing on an endpoint, i.e. a "local capture" can cause issues, see here for more info.

grahamb gravatar imagegrahamb ( 2020-02-21 11:15:07 +0000 )edit

The OS is Windows Embedded Standard 7, SP1. Thanks for the link! But I don't see any reference to outbound packets sent twice. My Slave device already uses WinPCAP in order to run the Profinet Stack. If I run the same test on another Slave device which uses the same Profinet Stack and OS but a different Embedded PC with a single ETH port, I get one outbound packet. I would really want to know what makes Wireshark log the Outbound packet twice with the 5 ETH port device: any experience regarding this?

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-21 11:37:49 +0000 )edit

To be pedantic, Wireshark doesn't log anything, that's the capture library, usually npcap for Wireshark 3.2.1, but that version will work with WinPcap, if npcap isn't installed.

I'm not sure if anyone has reported double packets before, there have been a few reports of no packets, usually due to a firewall\VPN\AV issue.

Can you confirm you're only capturing on a single interface? Can you post the text of the Help -> About Wireshark -> Wireshark dialog?

grahamb gravatar imagegrahamb ( 2020-02-21 11:55:58 +0000 )edit

I can confirm that I am capturing on a single interface (which is one of the ETH ports, the only one which is connected to the ETH switch). I have no AV installed on my slave device, and I don't use any VPN service.

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-21 13:09:33 +0000 )edit

Here is the content of the About dialog.

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-21 13:15:12 +0000 )edit

And it looks like this:

3.2.1 (v3.2.1-0-gbf38a67724d0)

Compiled (32-bit) with Qt 5.12.6, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap,
with SpeexDSP (using bundled resampler), with SBC, with SpanDSP, with bcg729.

Running on 32-bit Windows 7 Service Pack 1, build 7601, with       Intel(R)
Celeron(R) CPU  N2930  @ 1.83GHz (with SSE4.2), with 1938 MB of physical memory,
with locale English_United States.1252, with light display mode, without HiDPI,
with Npcap version 0.9986, based on ...
(more)
grahamb gravatar imagegrahamb ( 2020-02-21 13:38:38 +0000 )edit

Which shows that npcap is being used as the capture library. I suspect you'll have to take this up with the npcap folks unless someone here has seen this before and knows the answer.

grahamb gravatar imagegrahamb ( 2020-02-21 13:39:56 +0000 )edit

Thanks for your help @grahamb! How can I contact the npcap folks?

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-21 14:36:01 +0000 )edit

At the nmap issues tracker. They also have a mail list

grahamb gravatar imagegrahamb ( 2020-02-21 15:11:01 +0000 )edit

Was the frame.interface_id field added to each packet?

Chuckc gravatar imageChuckc ( 2020-02-21 16:08:15 +0000 )edit

The 'Interface id' for every outbound and inbound packet reported in the capturing is 0(\Device\NPF__[C2B70804-3794-4631-B7F3-A9C7FB986197})

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-21 17:29:57 +0000 )edit

https://ask.wireshark.org/question/11...

The discussion at npcap/nmap (https://github.com/nmap/nmap/issues/1576) mentions switches.

Chuckc gravatar imageChuckc ( 2020-02-21 19:49:58 +0000 )edit

Can you share what the hardware is for the slave device?

Chuckc gravatar imageChuckc ( 2020-02-21 19:56:40 +0000 )edit

@bubbasnmp the HW is a Advantech PCM-3365 with a Intel Celeron N2930 CPU and 4GB of RAM.

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-26 11:38:31 +0000 )edit

Thanks. That board has a single 1Gb port. Is there a switch card stacked on it to get the 5 ETH ports?

Chuckc gravatar imageChuckc ( 2020-02-26 13:08:00 +0000 )edit

1 ETH Port is connected to the LAN connector, while for the other 4 I am using the MINIPCIEXPRESS connector (CN11). The Outbound PNIO packet from my Slave Device is intercepted twice by Wireshark whatever ETH port I use (both from the LAN connector or the MINIPCIEXPRESS). I always use only 1 ETH port at a time.

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-26 14:39:33 +0000 )edit

What is the board attached to CN11? As a test, do the duplicate packets occur if it is disconnected?

Chuckc gravatar imageChuckc ( 2020-02-26 19:52:00 +0000 )edit

The board is an Advantech PCM-24R2GL, and the packets show up double also when such board is disconnected. When the board is disconnected, the OS still shows me the ETH ports of such expansion module, but even when I disable them, Wireshark will still trace every outbound packet twice.

Profinet_Mark gravatar imageProfinet_Mark ( 2020-02-27 15:21:51 +0000 )edit
see more comments