Double Profinet packets logged by Wireshark
I am analyzing traffic of my Profinet network, made of:
S7-1200 CPU;
Slave device with OS WES7;
ETH switch.
My Slave device, from which I run Wireshark v.3.2.1, has 5 ETH ports but the analysis via Wireshark is done on the correct and only active port, which connects the Slave device to the ETH switch.
Why in my Wireshark logs I see that outbound PNIO packets are logged twice, while inbound packets are logged once?
If I log the inbound and outbound traffic of the ETH port to which the Slave device is connected using a switch with a mirrored port and Wireshark v.3.2.1 installed on an external PC, Wireshark logs show that the packets are actually sent only once from the device (not twice as the wireshark logs collected from the device itself had reported).
What is the OS on the slave device?
Note that capturing on an endpoint, i.e. a "local capture" can cause issues, see here for more info.
The OS is Windows Embedded Standard 7, SP1. Thanks for the link! But I don't see any reference to outbound packets sent twice. My Slave device already uses WinPCAP in order to run the Profinet Stack. If I run the same test on another Slave device which uses the same Profinet Stack and OS but a different Embedded PC with a single ETH port, I get one outbound packet. I would really want to know what makes Wireshark log the Outbound packet twice with the 5 ETH port device: any experience regarding this?
To be pedantic, Wireshark doesn't log anything, that's the capture library, usually npcap for Wireshark 3.2.1, but that version will work with WinPcap, if npcap isn't installed.
I'm not sure if anyone has reported double packets before, there have been a few reports of no packets, usually due to a firewall\VPN\AV issue.
Can you confirm you're only capturing on a single interface? Can you post the text of the Help -> About Wireshark -> Wireshark dialog?
I can confirm that I am capturing on a single interface (which is one of the ETH ports, the only one which is connected to the ETH switch). I have no AV installed on my slave device, and I don't use any VPN service.
Here is the content of the About dialog.
And it looks like this:
(more)Which shows that npcap is being used as the capture library. I suspect you'll have to take this up with the npcap folks unless someone here has seen this before and knows the answer.
Thanks for your help @grahamb! How can I contact the npcap folks?
At the nmap issues tracker. They also have a mail list
Was the
frame.interface_id
field added to each packet?The 'Interface id' for every outbound and inbound packet reported in the capturing is 0(\Device\NPF__[C2B70804-3794-4631-B7F3-A9C7FB986197})
https://ask.wireshark.org/question/11...
The discussion at npcap/nmap (https://github.com/nmap/nmap/issues/1576) mentions switches.
Can you share what the hardware is for the slave device?
@bubbasnmp the HW is a Advantech PCM-3365 with a Intel Celeron N2930 CPU and 4GB of RAM.
Thanks. That board has a single 1Gb port. Is there a switch card stacked on it to get the 5 ETH ports?
1 ETH Port is connected to the LAN connector, while for the other 4 I am using the MINIPCIEXPRESS connector (CN11). The Outbound PNIO packet from my Slave Device is intercepted twice by Wireshark whatever ETH port I use (both from the LAN connector or the MINIPCIEXPRESS). I always use only 1 ETH port at a time.
What is the board attached to CN11? As a test, do the duplicate packets occur if it is disconnected?
The board is an Advantech PCM-24R2GL, and the packets show up double also when such board is disconnected. When the board is disconnected, the OS still shows me the ETH ports of such expansion module, but even when I disable them, Wireshark will still trace every outbound packet twice.