Wireshark for EtherNet/IP: How to Capture and Decode CIP Traffic

EtherNet/IP (Ethernet Industrial Protocol) is the leading industrial Ethernet protocol in North America. It carries CIP (Common Industrial Protocol) messages over standard TCP/IP and UDP/IP.

Wireshark fully decodes EtherNet/IP using two dissectors:

• enip — EtherNet/IP encapsulation layer (session management, encapsulation commands)
• cip — Common Industrial Protocol (services, objects, connections, I/O data)

EtherNet/IP uses two ports:

• TCP port 44818 — explicit messaging (configuration, diagnostics, session management)
• UDP port 2222 — implicit messaging (cyclic I/O data between controllers and I/O devices)

This guide covers how to capture both traffic types, which display filters to use, how to decode CIP services and I/O connections, and how to troubleshoot the most common EtherNet/IP problems.

1. How EtherNet/IP Appears in Wireshark

Wireshark shows EtherNet/IP traffic as two protocol layers:

Layer	What It Shows
EtherNet/IP (enip)	Encapsulation command, session handle, status, sender context
CIP (cip)	Service code, class/instance/attribute path, data, status

The Info column shows:

Register Session (Req)
Register Session (Rsp), Session: 0x00000001
Send RR Data (Req), Service: Get Attribute All
Send RR Data (Rsp), Service: Get Attribute All
Send Unit Data, CIP I/O Connection

For implicit I/O on UDP 2222:

CIP I/O, Connection ID: 0x80000001, Seq: 12345

2. How to Capture EtherNet/IP Traffic

Capture Filter

To capture both explicit and implicit traffic:

tcp port 44818 or udp port 2222

To capture only explicit messaging:

tcp port 44818

To capture only implicit I/O:

udp port 2222

Where to Capture

Location	What You See
On the PLC / scanner	All EtherNet/IP traffic from the controller
On an I/O adapter	Traffic to/from that specific device
On a managed switch (port mirroring)	All traffic on the mirrored port(s)

3. Display Filters for EtherNet/IP and CIP

All filter field names verified against the official Wireshark Display Filter References for enip and cip.

Basic Filters

Filter	What It Shows
enip	All EtherNet/IP encapsulation traffic
cip	All CIP messages (explicit + implicit)
cipio	CIP I/O implicit messages only (UDP 2222)
tcp.port == 44818	All explicit messaging traffic
udp.port == 2222	All implicit I/O traffic

Encapsulation Command Filters

Filter	What It Shows
enip.command == 0x0004	List Services
enip.command == 0x0063	List Identity
enip.command == 0x0065	Register Session
enip.command == 0x0066	Unregister Session
enip.command == 0x006f	Send RR Data (explicit messaging)
enip.command == 0x0070	Send Unit Data (connected explicit messaging)

Session and Status Filters

Filter	What It Shows
enip.session	Session handle value
enip.status	Encapsulation status (0 = success)
enip.status != 0	Failed encapsulation commands

CIP Service Filters

Filter	What It Shows
cip.service	CIP service code
cip.sc	CIP service code (alternate field name)
cip.genstat	CIP General Status code
cip.genstat != 0	Failed CIP services
cip.class	CIP class in the path
cip.instance	CIP instance in the path
cip.attribute	CIP attribute in the path
cip.connection.triad.ConnSerialNumber	Connection serial number

Common CIP Service Codes

Service Code	Name	Description
0x01	Get Attribute All	Read all attributes of an object
0x02	Set Attribute All	Write all attributes
0x03	Get Attribute List	Read specific attributes
0x04	Set Attribute List	Write specific attributes
0x05	Reset	Reset the device
0x0E	Get Attribute Single	Read one attribute
0x10	Set Attribute Single	Write one attribute
0x4B	Read Tag Service	Read a tag value (Logix-specific)
0x4C	Read Tag Fragmented	Read a large tag (fragmented)
0x4D	Write Tag Service	Write a tag value (Logix-specific)
0x4E	Write Tag Fragmented	Write a large tag (fragmented)
0x52	Read Modify Write Tag	Atomic read-modify-write
0x54	Forward Open	Establish a CIP connection
0x4E	Forward Close	Close a CIP connection

Combination Examples

All Forward Open requests:

cip.sc == 0x54

All failed CIP responses:

cip.genstat != 0

All explicit traffic to a specific device:

enip && ip.addr == 192.168.1.100

Only List Identity responses (device discovery):

enip.command == 0x0063

Implicit I/O for a specific connection ID:

cipio && cip.connid == 0x80000001

4. Explicit vs Implicit Messaging in Wireshark

Feature	Explicit (TCP 44818)	Implicit (UDP 2222)
Transport	TCP	UDP
Port	44818	2222
Purpose	Configuration, diagnostics, tag reads/writes	Cyclic I/O data (inputs/outputs)
Wireshark filter	enip or tcp.port == 44818	cipio or udp.port == 2222
Message pattern	Request → Response	Producer → Consumer (continuous)
Encapsulation command	Send RR Data (0x006F) or Send Unit Data (0x0070)	None — raw CIP I/O frames
Timing	On-demand	Cyclic (RPI = Requested Packet Interval)

5. How to Read a Decoded EtherNet/IP Packet

Register Session Request

EtherNet/IP (Industrial Protocol)
    Command: Register Session (0x0065)
    Length: 4
    Session Handle: 0x00000000
    Status: Success (0x00000000)
    Protocol Version: 1
    Options Flags: 0

Send RR Data — Get Attribute Single

EtherNet/IP (Industrial Protocol)
    Command: Send RR Data (0x006F)
    Session Handle: 0x00000001
Common Industrial Protocol
    Service: Get Attribute Single (0x0E)
    Class: Identity (0x01)
    Instance: 1
    Attribute: Product Name (7)

CIP I/O Implicit Data (UDP 2222)

Common Industrial Protocol, I/O
    Connection ID: 0x80000001
    Sequence Count: 12345
    Data: 01 FF 03 00 ...

6. What a Healthy EtherNet/IP Session Looks Like

#	Direction	Protocol	Info
1	Client → Server	TCP	SYN (port 44818)
2	Server → Client	TCP	SYN-ACK
3	Client → Server	TCP	ACK
4	Client → Server	ENIP	Register Session (Request)
5	Server → Client	ENIP	Register Session (Response, Session Handle assigned)
6	Client → Server	ENIP	Send RR Data — Get Attribute All (Identity Object)
7	Server → Client	ENIP	Send RR Data — Response with device identity
8	Client → Server	ENIP	Send RR Data — Forward Open (establish I/O connection)
9	Server → Client	ENIP	Send RR Data — Forward Open Response (connection IDs assigned)
10	Both ↔ Both	CIP I/O	Implicit I/O data on UDP 2222 (continuous cyclic exchange)

The sequence is always: TCP handshake → Register Session → Explicit services → Forward Open → Implicit I/O begins

7. Decoding Forward Open — Connection Setup

The Forward Open service (0x54) establishes a CIP connection for implicit I/O data exchange.

Filter: cip.sc == 0x54

Forward Open Request

CIP Connection Manager
    Service: Forward Open (0x54)
    O→T Connection ID: 0x80000001
    T→O Connection ID: 0x80000002
    O→T RPI: 10000 µs (10 ms)
    T→O RPI: 10000 µs (10 ms)
    O→T Network Connection Parameters: Point-to-Point, Fixed Size
    T→O Network Connection Parameters: Multicast, Fixed Size
    Connection Path: [Backplane] Port 1, Slot 0

Forward Open Response

CIP Connection Manager
    Service: Forward Open (Response)
    General Status: Success (0x00)
    O→T Connection ID: 0x80000001
    T→O Connection ID: 0x80000002

If the Forward Open fails, the General Status field shows the error code.

8. Decoding Implicit I/O Data (UDP Port 2222)

After Forward Open succeeds, implicit I/O data flows on UDP port 2222.

Filter: cipio or udp.port == 2222

Each I/O packet contains:

• Connection ID — matches the O→T or T→O Connection ID from Forward Open
• Sequence Count — increments every cycle
• Data — raw I/O bytes (input or output data)

Wireshark maps the Connection ID back to the Forward Open if it was captured in the same session. This allows you to see which device the I/O data belongs to.

⚠️ Important: If you start Wireshark after the Forward Open has already completed, Wireshark cannot map Connection IDs to devices. Start Wireshark before the connection is established.

9. Diagnosing Connection Failures

Filter: cip.sc == 0x54 && cip.genstat != 0 (failed Forward Opens)

Common Forward Open Error Codes

General Status	Extended Status	Meaning	Common Cause
0x01	0x0100	Connection failure	Resource unavailable on target device
0x01	0x0103	Connection timeout	RPI too fast for the device
0x01	0x0106	Ownership conflict	Another scanner already owns this connection
0x01	0x0107	Target connection not found	Wrong connection path (backplane/slot)
0x01	0x0109	Invalid connection size	O→T or T→O size mismatch
0x01	0x0110	Connection target does not support the requested RPI	RPI too short
0x01	0x0113	RPI not acceptable	Increase the RPI value
0x0C	—	Object state conflict	Device is in an invalid state for connection
0x14	—	Attribute not settable	Wrong parameter in the path

10. Diagnosing No I/O Data Exchange

Filter: cipio or udp.port == 2222

What You See	Cause	Fix
No UDP 2222 packets at all	Forward Open failed or was never sent	Check Forward Open response for errors
I/O data flows then stops	Connection timed out (missed too many packets)	Check network for packet loss. Verify RPI.
I/O data from device but not from controller	Controller not producing data	Check controller program and I/O configuration
Sequence Count frozen (not incrementing)	Device stopped updating I/O	Check device status and diagnostics

11. Diagnosing CIP Error Codes

Filter: cip.genstat != 0

Common CIP General Status Codes

Code	Name	Common Cause
0x01	Connection Failure	Forward Open failed — see extended status
0x04	Path Segment Error	Wrong class/instance/attribute in the path
0x05	Path Destination Unknown	Target object does not exist
0x08	Service Not Supported	Device does not support this CIP service
0x0A	Attribute List Error	One or more attributes in the list failed
0x0C	Object State Conflict	Device in wrong state (e.g., Running vs Idle)
0x10	Device State Conflict	Device not in the right mode
0x13	Not Enough Data	Request packet too short
0x14	Attribute Not Supported	Attribute does not exist on this object
0x15	Too Much Data	Request packet too long
0x1E	Tag Not Found	Logix tag name does not exist (Read/Write Tag)
0x26	Bridge Request Too Large	Message too large for the routing path

12. Useful Wireshark Columns for EtherNet/IP Analysis

Column Title	Type	Field Name
ENIP Command	Custom	enip.command
Session Handle	Custom	enip.session
CIP Service	Custom	cip.sc
CIP Status	Custom	cip.genstat
Delta Time	Custom	frame.time_delta_displayed

13. Common EtherNet/IP Problems and What They Look Like in Wireshark

Problem	Wireshark Symptom	Filter
Device offline	TCP SYN, no SYN-ACK on port 44818	tcp.flags.syn == 1 && tcp.port == 44818
Session registration fails	Register Session with non-zero status	enip.command == 0x0065 && enip.status != 0
Forward Open fails	Forward Open response with CIP error	cip.sc == 0x54 && cip.genstat != 0
Ownership conflict	Forward Open error 0x0106	cip.sc == 0x54 — check extended status
Wrong connection path	Forward Open error 0x0107	Verify backplane/slot in connection path
No I/O data	No packets on UDP 2222	udp.port == 2222
I/O connection timeout	I/O data stops after a period	cipio — check for gaps in sequence count
Tag not found	CIP status 0x1E on Read/Write Tag	cip.genstat == 0x1e
Packet loss	TCP retransmissions on port 44818	tcp.analysis.retransmission && tcp.port == 44818
Slow response	Large time delta	enip && frame.time_delta > 1

Summary

Wireshark decodes the full EtherNet/IP and CIP protocol stack — session management, explicit messaging, Forward Open connection setup, and cyclic I/O data.

The key things to remember:

• EtherNet/IP uses TCP port 44818 for explicit messaging and UDP port 2222 for implicit I/O
• Use enip for encapsulation-level traffic, cip for CIP services, cipio for implicit I/O
• Use cip.sc == 0x54 to find Forward Open (connection setup)
• Use cip.genstat != 0 to find all failed CIP services
• Use enip.command == 0x0063 for List Identity (device discovery)
• Start Wireshark before the connection is established — otherwise implicit I/O data cannot be mapped to devices
• Forward Open errors are the #1 cause of EtherNet/IP I/O problems — always check the General Status and Extended Status codes

For a comparison with PROFINET, see: PROFINET vs EtherNet/IP: Complete Comparison