Bill Meier wrote on Thu, 23 Oct 2008 08:28:57 -0400
>stan wrote:
>> Interesting. I must be doing seething wrong then. I have 3 machines on
a
>> small isolated network, 2 pieces of control hardware, and a Windows
>> machine. The 2 control pieces are speaking Ethernet/IP to each other (I
>> think). But Wireshark, running on the windows box seems to think is is
X11
>> traffic.
>>
>> When I select a packet, and bring up the "decode as" menu, what should
I
>> choose to properly decode this traffic?
>>
>
>Choose "etherip" on the network tab.
No, "enip".
>That being said, I wouldn't have expected any ambiguity issues
>recognizing this protocol.
I agree. I constantly work with enip and rarely have any problem.
>How are you ensuring that the PC is able to see the traffic n the
>network between the control hardware ? Are you using a hub rather than a
>switch to connect the network nodes ? or what ?
Again, I agree. A switch is likely to hide most or all enip traffic unless
you configure port mirroring. See http://wiki.wireshark.org/CaptureSetup
Another possibillity is is that the X11 dissector is incorrectly grabbing
enip packets. I have no experience of X11 so can't say how likely that is,
but it's easy to test. Go to menu Analyze > Enabled Protocols and disable
X11.
Enip traffic usually uses TCP port 44818, UDP port 44818 or UDP port 2222.
>Can you share a small capture with us ?
