CIP Packet Walk-Through
This document will walk through the following EtherNet/IP packet, including the Ethernet header,
Internet Protocol (IP) header, User Datagram Protocol (UDP) header, and the Control and
Information Protocol (CIP) header and data.
Hexadecimal packet data:
01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00
00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0
2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00
0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00
00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f
a1 2e
We will begin by examining the data in the Ethernet header. The Ethernet header is added to the
packet at the Data Link Layer of the OSI communications model.
Ethernet Header Data i.e., Frame Header: Data Link layer
01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00
00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0
2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00
0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00
00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f
a1 2e
01 00 5e 40 2e 60 This first field, the target MAC address, is the hardware address of the
destination node of this packet. In this example, the least significant bit of the first byte indicates
that this is actually a multicast address.
00 00 bc 03 4b 97 The second field is the source MAC address. This is the hardware address of
the originating node of this packet.
08 00
The final field of the Ethernet header is the protocol type field. It refers to the type
of protocol that appears in the next higher layer (the network layer of the OSI communication
model). In out case, 08 00 indicates that the next higher protocol is Internet Protocol (IP).
Internet Protocol (IP) Header Data i.e., Packet Header: Network Layer
01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00
00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0
2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00
0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00
00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f
a1 2e
4
The first four bits of the IP header indicate the IP version that is being used. In
this case it is version 4.
5
The second four bits represent the IP header length. The length is the number of
32-bit (4 byte) data words. The default value is 5, or 20 bytes. If this field is greater than 5 it
indicates that there are options present. If the field is less than 5 it is an illegal header length.
00
The next byte of the header represents the precedence and type of service of the
data. The precedence tells the receiving IP gateways and routers along the network path the
importance of the data it is carrying. It is not often used, but is available. The last five bits of this
byte are the type of service bits. The Delay bit requests a route with the least amount of
propagation delay if set to 1. The throughput bit, if set to 1, requests that IP routers have the
datagram travel over the paths with the highest throughput. The Reliability bit, if set to 1, requests
that the datagram travel over the route with the least chance of lost data. The last two bits are
reserved and always 0.
00 44
The total IP length field indicates the total length of the datagram, including the IP
header and all the data behind it.
1f 17
The datagram ID number is a host-specific field that carries a unique ID number
for each datagram sent by the host. If fragmentation occurs during transit, each fragment of the
datagram will have the same datagram ID number.
The “fragmentation bytes” of the IP header contain data for use if
fragmentation is necessary.
The “Don’t Fragment” bit demands that the message not be fragmented
The “More Fragments” bit is set when there are additional fragments of the
original datagram to be sent.
The thirteen Fragment Offset bits contain the offset of this particular fragment in
the original message. There is no fragmentation in our example.
00 00



01
The Time to Live byte indicates the number of hops (or routers) it can travel
through before being discarded.
11
The Protocol field indicates the ID number of the higher level protocol. In this
example, the ID number is 11 which represents User Datagram Protocol (UDP).
3f 3e
This is the IP header checksum field, which provides error checking on the IP
header only, not on the data.
83 c8 b9 6b
station).
(131.200.185.107) This is the source IP address (IP address of the originating
ef c0 2e 60
(239.192.46.96) This is the target IP address (IP address of the destination
station). In our example, this actually represents a multicast address.
User Datagram Protocol (UDP) Data
01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00
00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0
2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00
0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00
00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f
a1 2e
ff ee
This is the source port where data originates from.
08 ae
This is the target port, where the data is sent to.
00 30
This is the message length. It refers to the length of the total message, including
the data and UDP header.
86 3c
today.
This is the UDP checksum, which is optional but is used in most applications
Control and Information Protocol (CIP) and Data
01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00
00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0
2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00
0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00
00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f
a1 2e
02 00
This is the Item Count. It is the number of “Common Packet Format” items to
follow. There must be at least 2. For UDP CIP packets, this value will always be set to 2.
02 80
This is the Type ID, indicating that this is a Sequenced Address Type.
08 00
This is the length of the address data, which includes the connection identifier and
the sequence number.
0f ca 01 08
This is the connection identifier. Each connection has a unique identifier to
differentiate it from other connections.
0f ca 02 00
This is the Sequence Number, which indicates the sequence of packets for this
particular connection.
b1 00
This is the Data Type ID, indicating a connected data type. (This is the only value
that we will see in this field, since we will always have a connected data type.)
16 00
This is the length of the data in the packet. There are twenty two bytes of data.
a3 c8 3c 00 00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f a1 2e
The data.