Ask Your Question
0

Ethercat Frames are not being recorded due to Symantec EP

asked 2020-06-15 04:56:40 +0000

susmis666 gravatar image

Hi Experts,

I am trying to sniff EtherCAT traffic between Beckhoff PLC (XAR) running on windows 10 machine and an EK1100 remote IO system.

The Windows 10 Machine has Symantec end point (SEP) protection installed with configuration as per company policies.

When SEP was disabled, I was able to record traffic in Wireshark.

Can any one suggest as to what would be the right configuration that are required to be done in SEP so that EtherCAT traffic can be recorded without disabling this Antivirus?

I hope i was able to communicate my question without ambiguity.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-06-15 19:29:47 +0000

Guy Harris gravatar image

This is probably an issue with WinPcap or Npcap; they both plug into the Windows networking stack, and Symantec Endpoint Protection may also plug into the networking stack in a fashion that interferes with WinPcap or Npcap.

Go to Help > About Wireshark, and see whether it says, in the "Running in" section (not the "Compiled in") section, "with Npcap version {version}" or "with WinPcap 4.1.3". If it mentions WinPcap, it's a WinPcap problem; unfortunately, WInPcap is no longer supported, and won't be fixed. If it mentions Npcap, however, please file an issue report at the Npcap issue list.

edit flag offensive delete link more

Comments

Hi and Thanks for the Hint. The machine i have been using has Wireshark version 2.6.15 with WinPcap version 4.1.3. Can you share any Ideas as to what should we try to do to fix this issue?

Please note that I have been using this same setup (Laptop, Wireshark and Symantec) for recording traffic of other protocols such as profinet, Modbus etc. and faced no problems at all.

susmis666 gravatar imagesusmis666 ( 2020-06-16 05:11:43 +0000 )edit

You could try to install the current version of Wireshark that will install npcap and that may or may not fix your issue. If the issue isn't resolved at least then the issue can be reported to the ncpap support team who might be able to do something about it,

grahamb gravatar imagegrahamb ( 2020-06-16 08:37:59 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-06-15 04:56:40 +0000

Seen: 485 times

Last updated: Jun 15 '20