How to decode a protocol that wireshark doesn't recognize?

asked 2018-07-04 21:55:53 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I'm analyzing the communication between a PLC Siemens a PLC Beckhoff and a switch (CU2508). I can see ECAT and PNIO protocols and another protocol that Wireshark call 0xf815. Also if I've enabled all the packets this type result as an Unknown.

edit retag flag offensive close merge delete


If you can post a small capture file containing these unknown packets to someplace like cloudshark, dropbox, drive, etc., then maybe someone can tell you what the traffic is and how to decode it (if possible); otherwise, you'd have to research the protocol and write a dissector yourself to handle it, which could possibly involve reverse engineering the protocol if there's no freely and publicly available specification for it.

cmaynard gravatar imagecmaynard ( 2018-07-05 17:11:23 +0000 )edit

Usually this seems like a proprietary protocol, which Wireshark only knows about, if somebody would write a dissector for it. In this case i most likely would derive from the PROFIBus or PROFINet family. You can create a bug-report for it on, and attach a trace, but if no public documentation is available most likely it will stay that way.

rknall gravatar imagerknall ( 2018-07-06 11:23:33 +0000 )edit