EtherNet/IP (Ethernet Industrial Protocol) is the leading industrial Ethernet protocol in North America. It carries CIP (Common Industrial Protocol) messages over standard TCP/IP and UDP/IP. Wireshark fully decodes EtherNet/IP using two dissectors: EtherNet/IP uses two ports: This guide covers how to capture both traffic types, which display filters to use, how to decode CIP services and I/O connections,… Read More »
Wireshark is known as an Ethernet protocol analyzer. But it can also capture Modbus RTU traffic over RS-485 serial links — using a free extension called WiresharkSerialAdapter. This is not a built-in feature. Wireshark does not natively capture from COM ports. You need a USB-to-RS-485 adapter connected to the bus as a passive listener, plus the WiresharkSerialAdapter extension… Read More »
Industrial protocols are moving to TLS encryption. Modbus/TCP Security uses port 802. IEC 60870-5-104 over TLS uses port 19998. IEC 61850 MMS over TLS uses port 3782. OPC UA encrypts at the application layer. When encryption is enabled, Wireshark shows “Application Data” instead of decoded protocol fields. You can see that packets are flowing, but you cannot read… Read More »
PROFINET traffic does not use TCP/IP for cyclic I/O data. It runs directly on Ethernet Layer 2 with EtherType 0x8892. This means you cannot capture it with a TCP port filter — you need to capture all Ethernet traffic on the interface and then filter in Wireshark. Wireshark fully decodes PROFINET using several dissectors: This guide covers how… Read More »
MQTT (MQ Telemetry Transport) is the most widely used protocol in industrial IoT. It connects sensors, PLCs, gateways, and edge devices to cloud platforms and SCADA historians using a lightweight publish/subscribe model over TCP. Wireshark fully decodes MQTT — every CONNECT, PUBLISH, SUBSCRIBE, and DISCONNECT message, including topic names, QoS levels, payloads, and client IDs — all in… Read More »
OPC UA (Unified Architecture) is the leading platform-independent protocol for industrial data exchange. It connects SCADA systems, MES platforms, HMI panels, historians, and cloud gateways to PLCs, DCS controllers, and edge devices. OPC UA uses the OPC Binary protocol over TCP on port 4840 (IANA registered as “opc.tcp”). Wireshark decodes every OPC UA service — OpenSecureChannel, CreateSession, Browse,… Read More »
DNP3 (Distributed Network Protocol 3.0) is the dominant SCADA protocol in North America for electric utilities, water systems, and oil and gas. It runs over TCP or UDP on port 20000. Wireshark fully decodes DNP3 — data link layer, transport layer, and application layer. You can see every function code, object group, data point index, quality flag, and… Read More »
Modbus TCP is one of the easiest protocols to analyze in Wireshark. It runs on TCP port 502, uses a simple request/response pattern, and Wireshark decodes every field — MBAP header, function code, register addresses, and data values — in plain text. But engineers still struggle with three things: finding the right display filters, understanding what a healthy… Read More »
MMS (Manufacturing Message Specification) is the client/server protocol used by IEC 61850 for SCADA communication, reporting, control commands, and engineering access. It runs over TCP port 102. When an IED stops reporting to SCADA, when a control command fails, or when an MMS association does not establish — Wireshark is the first tool you reach for. But decoding… Read More »
GOOSE messages are high-speed Ethernet signals used in modern substations to share protection and control information between devices. Although they may look technical, decoding them with Wireshark is actually very easy. With just a few filters and clicks, you can see events, state changes, and dataset values in real time. In this guide, you’ll learn step-by-step how to… Read More »