Wireshark-users: Re: [Wireshark-users] Ethernet?IP

From: Bill Meier <wmeier@xxxxxxxxxxx>
Date: Thu, 23 Oct 2008 11:50:00 -0400
stan wrote:
On Thu, Oct 23, 2008 at 08:28:57AM -0400, Bill Meier wrote:
stan wrote:
Interesting. I must be doing seething wrong then. I have 3 machines on a
small isolated network, 2 pieces of control hardware, and a Windows
machine. The 2 control pieces are speaking Ethernet/IP to each other (I
think). But Wireshark, running on the windows box seems to think is is X11
traffic.

When I select a packet, and bring up the "decode as" menu, what should I
choose to properly decode this traffic?

Choose "etherip" on the network tab.

That being said, I wouldn't have expected any ambiguity issues recognizing this protocol.

How are you ensuring that the PC is able to see the traffic n the network between the control hardware ? Are you using a hub rather than a switch to connect the network nodes ? or what ?

Yes, it the 3 device network is on a hub.
Can you share a small capture with us ?

I am ataching it, because I am uuncertain if it is appropriate to post to
the list with atachments.


1. It's Ok to post small attachments to the list.

2. I was confused re "Ethernet over IP"
   vs "Ethernet/Industrial Protocol".

   The correct "decode as" is "enip" on the transport tab.


3. In any case, the pcap file displays just fine on my latest Wireshark
development Wireshark (showing "Ethernet/IP (Industrial Protocol" dissection followed by "Common Industrial Protocol"

Wireshark 1.0.3 (not quite the latest) also dissects the file OK.

So: I don't know what's wrong.

What Wireshark version on what what platform are you using ??

Are the enip and cip protocols enabled ??

What happens if you disable the X11 protocol ??