A complete reference for PROFINET ports — covering UDP 34962 (RT Unicast), UDP 34963 (RT Multicast), UDP 34964 (RPC Context Manager), UDP 49152, the Ethertype 0x8892 for cyclic I/O, MRP Ethertype 0x88E3, firewall rules, and Wireshark filters
Introduction
PROFINET ports are different from every other industrial protocol. Unlike Modbus (port 502), DNP3 (port 20000), or IEC 104 (port 2404) — where one TCP port handles all traffic — PROFINET uses multiple ports plus raw Ethernet at the same time.
The high-priority cyclic I/O data does not use IP or any port. It runs directly on Ethernet using Ethertype 0x8892. The IP-based services use UDP ports 34962, 34963, 34964, and 49152. There are TCP ports involved too — but they are vendor-specific, not part of the PROFINET standard.
This guide explains every PROFINET port number, what each one does, and how to configure firewalls and Wireshark to handle PROFINET correctly.
Table of Contents
1. PROFINET Communication Overview
PROFINET defines three communication classes, each using a different transport:
| Class | Transport | Purpose | Latency |
|---|---|---|---|
| PROFINET TCP/IP (NRT) | TCP/UDP over IP | Configuration, parameter access, diagnostics | 100 ms+ |
| PROFINET RT | Raw Ethernet (Ethertype 0x8892) | Cyclic I/O process data | < 10 ms |
| PROFINET IRT | Raw Ethernet (Ethertype 0x8892) with hardware scheduling | Motion control, drive synchronization | < 1 ms |
Most engineers think PROFINET = port 34962. But the truth is more complex: the most important PROFINET traffic does not use a port at all — it uses raw Layer 2 Ethernet frames with Ethertype 0x8892.
2. The Three Real-Time Classes and Their Ports
PROFINET defines conformance classes that determine which ports/Ethertypes are used:
| Class | Ports/Ethertypes Used | Use Case |
|---|---|---|
| CC-A (Class A) | UDP 34962/34963/34964, Ethertype 0x8892 | Basic PROFINET I/O |
| CC-B (Class B) | Adds Ethertype 0x88E3 (MRP) for ring redundancy | Standard industrial automation |
| CC-C (Class C / IRT) | Adds hardware-scheduled cyclic data on Ethertype 0x8892 | Motion control, synchronized drives |
For a deeper explanation, see: PROFINET Conformance Classes Explained
3. Quick Reference: All PROFINET Ports
| Port / Ethertype | Transport | Service | What It Does |
|---|---|---|---|
| 0x8892 | Raw Ethernet (Layer 2) | PROFINET I/O cyclic data, DCP | Cyclic I/O process data — the main real-time traffic |
| 0x88E3 | Raw Ethernet (Layer 2) | MRP (Media Redundancy Protocol) | Ring redundancy for fault tolerance |
| 0x88CC | Raw Ethernet (Layer 2) | LLDP (Link Layer Discovery Protocol) | Topology discovery, neighbor identification |
| 0x88F7 | Raw Ethernet (Layer 2) | PTCP (Precision Time Control Protocol) | Time synchronization for IRT |
| UDP 34962 | UDP | profinet-rt | PROFINET RT Unicast |
| UDP 34963 | UDP | profinet-rt-mcast | PROFINET RT Multicast |
| UDP 34964 | UDP | profinet-cm | RPC Context Manager (acyclic services) |
| UDP 49152 | UDP | RPC | Dynamic RPC endpoint (acyclic communication) |
| UDP 161/162 | UDP | SNMP | Network diagnostics (optional, MIB-II) |
| TCP 80 | TCP | HTTP | Web-based device configuration (optional) |
4. Ethertype 0x8892 — Cyclic I/O Data (No Port)
Ethertype: 0x8892 Transport: Raw Ethernet (Layer 2 — no IP, no port) Service: PROFINET I/O cyclic data, DCP
This is the most important PROFINET traffic. Every cyclic I/O packet between an IO Controller (PLC) and an IO Device travels using Ethertype 0x8892 — bypassing IP and TCP/UDP entirely.
Why Layer 2?
Real-time industrial control needs deterministic latency. Standard TCP/IP adds processing overhead for headers, checksums, and routing. By using raw Ethernet, PROFINET delivers I/O data in 1–10 ms cycles with predictable timing.
What Travels on Ethertype 0x8892?
| Frame Type | Purpose |
|---|---|
| DCP (Discovery and basic Configuration Protocol) | Initial discovery, IP address assignment, name assignment |
| PROFINET I/O Cyclic Data | Periodic exchange of input and output data |
| Alarms | High-priority diagnostic alarms |
Implications
- PROFINET I/O cannot be routed across IP subnets — Layer 2 frames don’t pass through Layer 3 routers
- All PROFINET I/O devices must be in the same broadcast domain (same VLAN)
- Standard IP firewall rules do not affect Ethertype 0x8892 traffic
5. UDP Port 34962 — PROFINET RT Unicast
Port: 34962/UDP IANA Service Name: profinet-rt Use: PROFINET RT (Real-Time) Unicast
UDP port 34962 is registered for PROFINET RT unicast communication. It is used in some PROFINET implementations as an alternative to raw Ethernet for sending RT data when the traffic must traverse routers (rare in practice).
In modern PROFINET deployments, this port sees little real traffic because cyclic I/O uses Ethertype 0x8892 directly. But the port is reserved and may appear in vendor implementations.
6. UDP Port 34963 — PROFINET RT Multicast
Port: 34963/UDP IANA Service Name: profinet-rt-mcast Use: PROFINET RT Multicast
UDP port 34963 is registered for PROFINET RT multicast. Similar to port 34962 but for multicast addressing.
Like 34962, this port is reserved by IANA but rarely seen in real deployments because cyclic data uses Layer 2 Ethernet.
7. UDP Port 34964 — PROFINET RPC Context Manager (DCE/RPC)
Port: 34964/UDP IANA Service Name: profinet-cm Use: RPC Context Manager — acyclic services
This is the most important IP-based PROFINET port. Port 34964 carries acyclic communication between PROFINET devices using DCE/RPC (Distributed Computing Environment / Remote Procedure Call):
| Service | What It Does |
|---|---|
| Connect | IO Controller establishes a connection with an IO Device |
| Read I&M Data | Read identification & maintenance data (vendor, serial number, firmware) |
| Read/Write Record Data | Configure parameters, read diagnostics |
| Release | Tear down a connection |
| Implicit Read | Read parameters without an established connection |
When You See Port 34964 Traffic
- During PLC startup — the IO Controller connects to each IO Device
- When the engineering tool (TIA Portal, Simatic Step 7) reads device information
- During parameter changes from the engineering workstation
- When fetching diagnostic data
The connection establishment on port 34964 is required before cyclic I/O data starts flowing on Ethertype 0x8892.
8. UDP Port 49152 — Dynamic RPC Endpoint Mapper
Port: 49152/UDP Use: Dynamic RPC endpoint allocation
After the initial connection on port 34964, some acyclic services use dynamic RPC endpoints starting from port 49152. The endpoint is negotiated during the initial RPC handshake.
In Wireshark, you may see PROFINET acyclic traffic on UDP 49152 and adjacent ports (49153, 49154, etc.). These are dynamically allocated and not fixed.
9. Ethertype 0x88E3 — Media Redundancy Protocol (MRP)
Ethertype: 0x88E3 Use: Ring redundancy for PROFINET networks
MRP (Media Redundancy Protocol) provides ring topology redundancy for PROFINET networks. If a cable break occurs in a ring, MRP reconfigures the network in under 200 ms (typically 30–60 ms).
MRP runs on Ethertype 0x88E3 — separate from PROFINET I/O traffic. It uses raw Ethernet, no IP, no port.
For more on PROFINET redundancy, see: Media Redundancy Protocol (MRP) Explained
10. Other Ethertypes Used by PROFINET
| Ethertype | Protocol | Purpose |
|---|---|---|
| 0x8892 | PROFINET I/O / DCP | Cyclic I/O, DCP discovery |
| 0x88E3 | MRP | Media Redundancy Protocol |
| 0x88CC | LLDP | Topology discovery, neighbor identification (used heavily by PROFINET) |
| 0x88F7 | PTCP | Precision Time Control Protocol — IRT synchronization |
| 0x88F5 | MMRP | Multiple MAC Registration Protocol (rare) |
| 0x8100 | VLAN tag | 802.1Q VLAN tag, often present with priority tag |
PROFINET uses VLAN priority tagging (802.1Q) with priority 6 for cyclic data. This ensures network switches give PROFINET I/O priority over other Ethernet traffic.
11. PROFINET vs Modbus TCP vs EtherNet/IP Ports
| Feature | PROFINET | Modbus TCP | EtherNet/IP |
|---|---|---|---|
| Cyclic I/O port | None — Ethertype 0x8892 | TCP 502 (same as everything) | UDP 2222 |
| Configuration port | UDP 34964 | TCP 502 | TCP 44818 |
| Discovery | DCP (Ethertype 0x8892) | None (master polls) | List Identity (UDP 44818) |
| Routable across subnets? | No (Layer 2) | Yes | Yes |
| Firewall rules | Allow Ethertype 0x8892 + UDP 34962-34964 | Allow TCP 502 | Allow TCP 44818 + UDP 2222 |
| Best for | Real-time motion, factory automation | Simple I/O, energy meters | Process automation |
The key difference: PROFINET requires Layer 2 connectivity. You cannot route PROFINET I/O traffic through a standard IP router.
12. Why PROFINET Cannot Be Routed Across Subnets
This is one of the most common PROFINET configuration issues.
The Problem
PROFINET I/O cyclic data uses Ethertype 0x8892 — raw Ethernet frames. These frames have:
- A source MAC address
- A destination MAC address
- An Ethertype (0x8892)
- Payload (PROFINET data)
There is no IP header. A Layer 3 router examines IP headers to make forwarding decisions — but Ethertype 0x8892 frames don’t have IP headers. The router cannot route them.
Solutions
- Keep all PROFINET devices in the same VLAN/broadcast domain — the standard solution
- Use Layer 2 switches — switches forward Ethertype 0x8892 frames within the same broadcast domain
- Use a PROFINET-capable router — some industrial routers can bridge PROFINET segments (rare, expensive)
- VLAN tagging across switches — works as long as the switches preserve the VLAN tags and stay in Layer 2
What About IP-Based Services?
PROFINET configuration on UDP 34964 can be routed across subnets — it is a normal IP service. But cyclic I/O cannot. So you can configure a PROFINET device from a remote subnet, but the actual I/O data exchange must happen on the same VLAN as the IO Controller.
13. Firewall Rules for PROFINET
Firewall configuration for PROFINET is more complex than for Modbus or DNP3 because of the mix of IP ports and raw Ethernet.
Layer 3 Firewall Rules (for IP-based services)
Linux iptables
bash
# Allow PROFINET RPC Context Manager
iptables -A INPUT -p udp --dport 34964 -j ACCEPT
iptables -A INPUT -p udp --sport 34964 -j ACCEPT
# Allow PROFINET RT Unicast/Multicast (rarely used in practice)
iptables -A INPUT -p udp --dport 34962 -j ACCEPT
iptables -A INPUT -p udp --dport 34963 -j ACCEPT
# Allow dynamic RPC (acyclic services)
iptables -A INPUT -p udp --dport 49152:49500 -j ACCEPTWindows Firewall (PowerShell)
powershell
# Allow PROFINET RPC Context Manager
New-NetFirewallRule -DisplayName "PROFINET RPC" -Direction Inbound -Protocol UDP -LocalPort 34964 -Action Allow
# Allow PROFINET RT
New-NetFirewallRule -DisplayName "PROFINET RT Unicast" -Direction Inbound -Protocol UDP -LocalPort 34962 -Action Allow
New-NetFirewallRule -DisplayName "PROFINET RT Multicast" -Direction Inbound -Protocol UDP -LocalPort 34963 -Action Allow
# Allow dynamic RPC
New-NetFirewallRule -DisplayName "PROFINET RPC Dynamic" -Direction Inbound -Protocol UDP -LocalPort 49152-49500 -Action AllowLayer 2 Considerations
Standard IP firewalls do not filter Ethertype 0x8892 traffic. To control PROFINET I/O traffic, you need:
- Managed industrial switches with Ethertype filtering capability
- VLAN segmentation — put PROFINET in a dedicated VLAN
- MAC-based access control — restrict which MAC addresses can communicate
Key Rules
- Never expose PROFINET to the internet — there is no built-in encryption or authentication
- Place PROFINET on a dedicated industrial VLAN isolated from IT
- Use PROFINET Security Class 1, 2, or 3 for authenticated/encrypted variants (newer PROFINET versions)
- Monitor PROFINET traffic with OT-aware IDS (Claroty, Nozomi, Dragos)
14. Wireshark Capture and Display Filters
Capture Filters
To capture all PROFINET traffic:
ether proto 0x8892 or udp port 34962 or udp port 34963 or udp port 34964For just cyclic I/O:
ether proto 0x8892For just configuration/acyclic services:
udp port 34964Display Filters
| Filter | What It Shows |
|---|---|
pn_io | PROFINET I/O cyclic data |
pn_dcp | PROFINET DCP (Discovery and basic Configuration Protocol) |
pn_rt | PROFINET Real-Time (all RT traffic) |
pn_ptcp | Precision Time Control Protocol (IRT) |
pn_mrp | Media Redundancy Protocol |
pn_rsi | PROFINET RSI (Remote Service Interface) |
udp.port == 34964 | PROFINET RPC traffic |
eth.type == 0x8892 | All Ethertype 0x8892 traffic |
eth.type == 0x88e3 | MRP traffic |
eth.type == 0x88cc | LLDP traffic |
For a complete Wireshark analysis guide, see: Wireshark for PROFINET
15. Common Port-Related Problems and Fixes
| Problem | Symptom | Fix |
|---|---|---|
| PROFINET I/O does not work across routers | I/O Controller cannot reach IO Device on a different subnet | PROFINET cyclic data uses Ethertype 0x8892 (Layer 2). Put all devices in the same VLAN. |
| Devices visible in DCP but cannot connect | Discovery works, but no I/O exchange | Check UDP port 34964 firewall rules. RPC connection setup needs this port. |
| Cannot read I&M data | Acyclic service fails | Allow UDP 34964 and dynamic RPC ports (49152+) |
| MRP ring not working | Ring redundancy does not switch on cable break | Check that switches forward Ethertype 0x88E3. Verify all MRP clients/manager configuration. |
| LLDP topology empty | Engineering tool cannot show network topology | Allow Ethertype 0x88CC (LLDP) on switches |
| High latency on cyclic I/O | I/O cycle times exceed configured value | Check VLAN priority. PROFINET should use 802.1Q priority 6. |
| Wireshark shows no PROFINET | Filter doesn’t catch the traffic | Capture filter must include ether proto 0x8892 — port-based filters miss most PROFINET |
| PROFINET works on one switch but not another | Some switches block Ethertype 0x8892 | Use industrial-grade managed switches with PROFINET certification |
| VLAN tag dropped | I/O traffic corrupted | Verify all switches preserve 802.1Q tags. Some consumer switches strip them. |
| PLC startup fails | Cannot establish connections to IO Devices | Check UDP 34964 path. Verify firewall, switches, and Layer 2 reachability. |
Summary
PROFINET ports are different from every other industrial protocol because most PROFINET traffic doesn’t use IP at all.
The key things to remember:
- Ethertype 0x8892 is the most important — it carries cyclic I/O data using raw Ethernet (no IP, no port)
- UDP port 34964 is the most important IP port — it carries acyclic services and connection setup (RPC Context Manager)
- UDP ports 34962 and 34963 are reserved for RT unicast/multicast but rarely used in real deployments
- UDP port 49152+ is used for dynamic RPC endpoints during acyclic communication
- Ethertype 0x88E3 is used by MRP for ring redundancy
- Ethertype 0x88CC is used by LLDP for topology discovery
- PROFINET I/O cannot be routed across IP subnets because cyclic data uses Layer 2 Ethernet — keep all devices in the same VLAN
- IP firewalls do not filter Ethertype 0x8892 traffic — use VLANs and managed switches for Layer 2 segmentation
- For Wireshark capture, use
ether proto 0x8892— port filters miss most PROFINET traffic