Guy Harris said:
>Dan S Zaniewski said:
[snip]
>> 2. After I do a capture, I want to view only the EthernetIP protocol
>> packets. How do I do this?
>
>Type "ip" into the "Filter" box - which is, by default, below the toolbar
>- and type Return or Enter.
[snip]
That should be "enip". The wonderfully confusing name "EtherNet/IP" claims another victim. (Dan, I would have expected you, of all people, to type "EtherNet/IP" properly!)
Be aware that display filter "enip" means "those packets that Ethereal's enip dissector decodes as enip". That may not include all relevant packets. Examples:
1. Related packets with no enip payload, like TCP with only flags and other header stuff. It's sometimes nice to see SYN and FIN or RST so you can identify the beginning and end of the TCP conversation.
2. Unusual packets where the enip dissector doesn't recognise the encap command. (I think I've only seen that once, and that wasn't with the current version.)
3. Packets with unusual ports. The enip dissector looks for 44818 (explicit) and 2222 (implicit). That usually works for explicit messages but not necessarily for implicit because any ports may be specified with the preceding (explicit) Forward_Open command and response. (Solution: identify such a packet and use Decode As enip. Enip appears twice in the Decode As list, as do several other protocols. Try both. One will be ignored, the other should work.)
4. Packets grabbed wrongly by another dissector. (Solution: disable the "wrong" protocol, or all protocols except ethernet, ip, tcp, udp, enip.)
I often use display filters like "tcp.port==44818" or "udp.port==44818" (or 2222 or whatever - see 3 above). Or "tcp.port==44818 or udp.port==44818".
It's sometimes useful to say "not enip" to quickly see what else is in the capture. Or "not tcp.port==44818" etc. (Not "tcp.port!=44818".)
Look at my CIP(enip)-related coloring rules in the attached file CIPcolors.txt. The second field (delimited by "@") of each is a display filter. 0xAF12 is 44818. Obviously, the udp filters only work reliably for explicit messages (browsing), not implicit, because of the variability of enip implicit ports. And the terms "client" and "server" are only meaningful for explicit. (I don't worry about identifying O->T or T->O direction for implicit because multicast T->O makes that obvious. I might have to think again if unicast implicit (both ways) becomes common.)
How to use: With any recent version of Ethereal, go to Coloring Rules and Import the file.
Julian.
# DO NOT EDIT THIS FILE! It was created by Ethereal
@CIP exp unc client@tcp.dstport==0xAF12 && enip.cpf.typeid==0xb2@[44081,52786,60631][65535,0,0]
@CIP exp unc server@tcp.srcport==0xAF12 && enip.cpf.typeid==0xb2@[44204,52685,60652][0,0,65535]
@CIP exp client@tcp.dstport==0xAF12@[52427,65535,65535][65535,0,0]
@CIP exp server@tcp.srcport==0xAF12@[52427,65535,65535][0,0,65535]
@CIP udp client@udp.dstport==0xAF12@[0,65535,0][65535,0,0]
@CIP udp server@udp.srcport==0xAF12@[0,65535,0][0,0,65535]
