PROFINET traffic does not use TCP/IP for cyclic I/O data. It runs directly on Ethernet Layer 2 with EtherType 0x8892. This means you cannot capture it with a TCP port filter — you need to capture all Ethernet traffic on the interface and then filter in Wireshark.
Wireshark fully decodes PROFINET using several dissectors:
- pn_rt — PROFINET Real-Time protocol (cyclic I/O data frames)
- pn_io — PROFINET IO application layer (connection setup, parameters, diagnostics)
- pn_dcp — PROFINET DCP (Discovery and Configuration Protocol — device name, IP assignment)
- pn_ptcp — PROFINET PTCP (Precision Time Control Protocol — clock synchronization for IRT)
- lldp — Link Layer Discovery Protocol (topology detection, neighbor information)
This guide covers how to capture PROFINET traffic, which display filters to use for each protocol, how to decode cyclic data and DCP messages, and how to troubleshoot the most common PROFINET problems.
In This Guide
1. How PROFINET Appears in Wireshark
PROFINET uses multiple protocols on the same Ethernet interface:
| Protocol | EtherType / Port | Wireshark Dissector | Purpose |
|---|---|---|---|
| PROFINET RT | 0x8892 | pn_rt | Cyclic I/O data, alarms |
| PROFINET DCP | 0x8892 (special FrameID) | pn_dcp | Device discovery, name assignment, IP configuration |
| PROFINET IO | DCE/RPC over UDP 34964 | pn_io | Connection setup (Connect, Write, Release), parameter download |
| LLDP | 0x88CC | lldp | Topology detection, port-to-port neighbor information |
| PROFINET PTCP | 0x8892 (special FrameID) | pn_ptcp | Clock synchronization for IRT |
| MRP | 0x88E3 | mrp | Media Redundancy Protocol (ring recovery) |
The Info column shows summaries like:
PNIO-CM Connect request, IODConnectReq
DCP Identify Request
DCP Set Request, IP, NameOfStation
Cyclic PNIO, CycleCounter: 12345
LLDP, SysName: et200sp-line12. How to Capture PROFINET Traffic
Capture Filter
Since PROFINET RT is Layer 2, you cannot filter by TCP port. Use:
ether proto 0x8892This captures only PROFINET RT frames. But it misses DCP, LLDP, and DCE/RPC traffic.
To capture everything (recommended for troubleshooting):
(no filter — capture all traffic on the interface)Then use display filters to narrow down.
Where to Capture
| Location | What You See |
|---|---|
| On the PLC/IO-Controller | All PROFINET traffic from the controller’s perspective |
| On a managed switch (port mirroring) | All traffic on the mirrored port(s) |
| On the IO-Device (if supported) | Only traffic to/from that device |
| Between PLC and switch (TAP) | Full duplex capture of controller traffic |
⚠️ Important: Wireshark can decode cyclic PROFINET I/O data (module/submodule level) only if it captures the connection setup (DCE/RPC Connect request). If you start Wireshark after the connection is already established, cyclic data appears as raw bytes without module context.
Best practice: Start Wireshark first, then power on the IO-Device (or restart the PLC).
3. Display Filters for PROFINET
All filter names verified against the official Wireshark Display Filter Reference pages for pn_rt, pn_dcp, and pn_io.
Protocol-Level Filters
| Filter | What It Shows |
|---|---|
pn_rt | All PROFINET RT frames (same as eth.type == 0x8892) |
pn_io | PROFINET IO application layer (connection setup, alarms, diagnostics) |
pn_dcp | PROFINET DCP (discovery, name assignment, IP set) |
pn_ptcp | PROFINET PTCP (clock synchronization for IRT) |
lldp | LLDP frames (topology, neighbors) |
mrp | MRP frames (media redundancy ring) |
pn_rt or pn_dcp | All PROFINET frames (RT + DCP combined) |
EtherType Filter
| Filter | What It Shows |
|---|---|
eth.type == 0x8892 | All PROFINET frames (RT, DCP, PTCP) |
eth.type == 0x88cc | All LLDP frames |
eth.type == 0x88e3 | All MRP frames |
DCP Filters
| Filter | What It Shows |
|---|---|
pn_dcp.service_id == 5 | DCP Identify (discovery multicast) |
pn_dcp.service_id == 4 | DCP Set (name/IP assignment) |
pn_dcp.service_id == 3 | DCP Get (read device info) |
pn_dcp.service_type == 0 | DCP Request |
pn_dcp.service_type == 1 | DCP Response |
pn_dcp.block_error != 0 | DCP errors |
RT Frame Filters
| Filter | What It Shows |
|---|---|
pn_rt.frame_id | Frame ID field (identifies the cyclic data relationship) |
pn_rt.cycle_counter | Cycle counter value |
pn_rt.transfer_status | Transfer status (0 = OK) |
pn_rt.data_status.state | Data state (Primary or Backup for redundancy) |
pn_rt.data_status.datavalid | Data valid flag (1 = valid, 0 = invalid) |
IO Filters
| Filter | What It Shows |
|---|---|
pn_io.alarm_type | Alarm type in alarm notifications |
pn_io.slot_nr | Slot number |
pn_io.subslot_nr | Subslot number |
pn_io.ioxs | IOxS (I/O extended status — good/bad) |
pn_io.block_type | Block type in IO messages |
pn_io.status | Status code in IO responses |
Combination Examples
Only DCP Identify (discovery) requests and responses:
pn_dcp.service_id == 5Only cyclic data with invalid DataState:
pn_rt.data_status.datavalid == 0PROFINET traffic to/from a specific MAC address:
pn_rt && eth.addr == 00:0e:8c:12:34:56All alarms from any IO-Device:
pn_io.alarm_typeLLDP frames showing a specific device name:
lldp.tlv.system.name contains "et200sp"4. Decoding Cyclic I/O Data (RT Frames)
Cyclic I/O frames are the most common PROFINET packets. They carry process data (inputs/outputs) between the IO-Controller and IO-Devices every cycle.
What You See in Wireshark
PROFINET Real-Time Protocol
FrameID: 0xc001
CycleCounter: 12345
DataStatus: 0x35 (Primary, Valid, Run)
TransferStatus: 0x00 (OK)
PROFINET IO Cyclic Service Data Unit
IOxS: 0x80 (Good)
Data: 01 00 ff 03 ...Key Fields
| Field | Meaning |
|---|---|
| FrameID | Identifies which IO-Device and which AR (Application Relation) this data belongs to. Range 0xC000–0xFBFF for RT class 1. |
| CycleCounter | Increments every cycle. Used to detect missed frames. |
| DataStatus | Bits for Primary/Backup, DataValid, Run/Stop. |
| TransferStatus | 0 = OK. Non-zero = problem with the data transfer. |
| IOxS | I/O extended status. Bit 7 = DataState (1=good, 0=bad). |
Decoding Module Data
If Wireshark captured the connection setup (DCE/RPC Connect request), it can map the raw bytes to specific modules and submodules. You will see something like:
Module: DI 8x24V (Slot 1, Subslot 1)
Input Data: 0xFF (all 8 inputs ON)
IOxS: 0x80 (Good)
Module: AI 4xU/I (Slot 2, Subslot 1)
Input Data: 08 FC 09 01 ...
IOxS: 0x80 (Good)If the connection setup was not captured, you see only raw bytes without module context.
5. Decoding DCP — Device Discovery and Name Assignment
DCP is the first protocol used when commissioning a PROFINET device. The IO-Controller uses DCP to find devices by name and assign IP addresses.
DCP Identify (Discovery)
Filter: pn_dcp.service_id == 5
The IO-Controller sends a multicast DCP Identify Request asking “Who has device name X?” All devices with that name respond.
PROFINET DCP, Identify Request
ServiceID: Identify (5)
ServiceType: Request (0)
Option: Device/NameOfStation
NameOfStation: et200sp-line1DCP Set (Name/IP Assignment)
Filter: pn_dcp.service_id == 4
The IO-Controller sends a unicast DCP Set Request to assign the IP address to the device.
PROFINET DCP, Set Request
ServiceID: Set (4)
Option: IP/IPParameter
IPAddress: 192.168.0.10
SubnetMask: 255.255.255.0
StandardGateway: 0.0.0.0DCP Errors
Filter: pn_dcp.block_error != 0
If the DCP Set fails, the response contains a non-zero BlockError.
6. Decoding Connection Setup (DCE/RPC)
Before cyclic data exchange starts, the IO-Controller establishes an Application Relation (AR) with each IO-Device using DCE/RPC over UDP port 34964.
Filter: pn_io
Connection Sequence
| Step | Message | Direction | Purpose |
|---|---|---|---|
| 1 | Connect Request | Controller → Device | Establish the AR, define modules/submodules |
| 2 | Connect Response | Device → Controller | Confirm AR, return status |
| 3 | Write Request(s) | Controller → Device | Send parameters for each module |
| 4 | Write Response(s) | Device → Controller | Confirm parameter acceptance |
| 5 | Control (PrmEnd) | Controller → Device | Signal that parameterization is complete |
| 6 | Control (ApplReady) | Device → Controller | Device is ready for cyclic data |
After step 6, cyclic RT data exchange begins.
If any step fails, the device shows a red error in TIA Portal.
7. Decoding Alarms
PROFINET devices send alarms when something goes wrong — a channel error, a module pulled out, or a diagnostic event.
Filter: pn_io.alarm_type
| Alarm Type | Meaning |
|---|---|
| 0x0001 | Diagnosis disappears |
| 0x0002 | Process alarm |
| 0x0003 | Pull alarm (module removed) |
| 0x0004 | Plug alarm (module inserted) |
| 0x0006 | Status alarm |
| 0x0007 | Update alarm |
| 0x0010 | Diagnosis alarm |
Alarms are sent as acyclic RT frames (not cyclic). They interrupt the normal data flow with high priority.
8. Decoding LLDP — Topology and Neighbor Detection
PROFINET CC-B and higher require LLDP for automatic topology detection. Every device sends LLDP frames periodically announcing its identity and port information.
Filter: lldp
What LLDP Shows
Link Layer Discovery Protocol
Chassis Id: et200sp-line1
Port Id: port-001
Time To Live: 20 seconds
System Name: et200sp-line1
PROFINET: PortStatus, MRP, PortSubtypeLLDP helps Wireshark (and the IO-Controller) understand which device is connected to which switch port. This is essential for diagnosing topology mismatches.
9. What a Healthy PROFINET Startup Looks Like
| # | Protocol | Info |
|---|---|---|
| 1 | LLDP | Device announces itself on the network |
| 2 | DCP | IO-Controller sends Identify Request (multicast) |
| 3 | DCP | Device responds with Identify Response |
| 4 | DCP | IO-Controller sends Set Request (IP address) |
| 5 | DCP | Device confirms Set Response |
| 6 | DCE/RPC | Connect Request (AR establishment) |
| 7 | DCE/RPC | Connect Response |
| 8 | DCE/RPC | Write Requests (parameters for each module) |
| 9 | DCE/RPC | Write Responses |
| 10 | DCE/RPC | Control (PrmEnd) — parameterization complete |
| 11 | DCE/RPC | Control (ApplReady) — device ready |
| 12 | PN-RT | Cyclic I/O data exchange begins (repeats every cycle) |
10. Diagnosing Device Not Found
Filter: pn_dcp.service_id == 5
| What You See | Cause | Fix |
|---|---|---|
| DCP Identify Request sent, no Response | Device not on network or wrong name | Check cable. Verify device name with PRONETA. |
| DCP Identify Response from a different device | Name conflict — two devices with same name | Assign unique names. |
| No DCP Identify at all | IO-Controller is not looking for this device | Check TIA Portal project — is the device configured? |
11. Diagnosing No I/O Data Exchange
Filter: pn_rt
| What You See | Cause | Fix |
|---|---|---|
| DCP OK, but no DCE/RPC Connect | Controller failed to start connection setup | Check controller status. Look for errors in the diagnostic buffer. |
| Connect Request sent, Connect Response with error | Module mismatch between project and physical device | Verify GSDML version and module order matches physical hardware. |
| Connect OK, but no cyclic RT frames | ApplReady not received — device stuck in parameterization | Check device firmware. Check parameter values. |
| Cyclic frames present but IOxS = bad (0x00) | Data not valid — device has a channel error | Check the field wiring. Look for alarm frames (pn_io.alarm_type). |
12. Diagnosing Cyclic Data Errors
Filter: pn_rt.data_status.datavalid == 0 or pn_rt.transfer_status != 0
| Symptom | What It Means | Fix |
|---|---|---|
| DataValid = 0 | Device is sending data but marking it as invalid | Device has a problem — check diagnostics |
| TransferStatus != 0 | Transfer error on the network path | Check cable, switch, and intermediate devices |
| CycleCounter jumps | Missed frames — some cycles were lost | Network overload, bad cable, or switch issue |
| No cyclic frames from device | Device went offline or AR was released | Check device power. Look for DCP or alarm frames. |
13. Useful Wireshark Columns and Coloring Rules
Custom Columns
| Column Title | Type | Field Name |
|---|---|---|
| Frame ID | Custom | pn_rt.frame_id |
| Cycle Counter | Custom | pn_rt.cycle_counter |
| Source MAC | Normal | eth.src |
| Delta Time | Custom | frame.time_delta_displayed |
PROFINET Coloring Rules
PI International provides a Wireshark coloring rule file for PROFINET. Import it via View → Coloring Rules → Import. It colors:
- Cyclic RT data — green
- DCP — blue
- Alarms — red
- LLDP — yellow
This makes it easy to visually separate the different PROFINET traffic types.
14. Common PROFINET Problems and What They Look Like in Wireshark
| Problem | Wireshark Symptom | Filter |
|---|---|---|
| Device not found | DCP Identify with no response | pn_dcp.service_id == 5 |
| Name mismatch | DCP Identify response from wrong device | pn_dcp — check NameOfStation |
| IP conflict | DCP response with IP conflict flag | pn_dcp.ip_conflict |
| Module mismatch | Connect Response with error status | pn_io.status != 0 |
| No cyclic data | No pn_rt frames after Connect/ApplReady | pn_rt |
| Bad I/O data | IOxS = bad (DataState = 0) | pn_rt.data_status.datavalid == 0 |
| Missed cycles | CycleCounter jumps (non-sequential) | pn_rt.cycle_counter — check sequence |
| Module pulled | Pull alarm (alarm type 0x0003) | pn_io.alarm_type |
| Channel error | Diagnosis alarm from device | pn_io.alarm_type |
| No LLDP neighbors | LLDP frames missing from a device | lldp — check which devices are sending |
| MRP ring break | MRP test frames stop on one path | mrp |
Summary
PROFINET uses multiple protocols on the same Ethernet wire. Wireshark decodes all of them — RT cyclic data, DCP discovery, DCE/RPC connection setup, alarms, LLDP topology, and PTCP synchronization.
The key things to remember:
- PROFINET RT uses EtherType 0x8892 — not TCP/IP. Capture all Ethernet traffic, not just a port.
- Use
pn_rtfor cyclic I/O data,pn_dcpfor discovery,pn_iofor connection setup and alarms - Start Wireshark before the device connects — otherwise cyclic data cannot be decoded to module level
- Use
pn_dcp.service_id == 5to see device discovery (Identify) - Use
pn_rt.data_status.datavalid == 0to find invalid cyclic data - Use
pn_io.alarm_typeto find alarms - Use
lldpto check topology and neighbor detection - Import the PI PROFINET coloring rules for visual analysis
For more on PROFINET configuration, see: How to Configure PROFINET in TIA Portal