CIP Packet Walk-Through This document will walk through the following EtherNet/IP packet, including the Ethernet header, Internet Protocol (IP) header, User Datagram Protocol (UDP) header, and the Control and Information Protocol (CIP) header and data. Hexadecimal packet data: 01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00 00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0 2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00 0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00 00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f a1 2e We will begin by examining the data in the Ethernet header. The Ethernet header is added to the packet at the Data Link Layer of the OSI communications model. Ethernet Header Data i.e., Frame Header: Data Link layer 01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00 00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0 2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00 0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00 00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f a1 2e 01 00 5e 40 2e 60 This first field, the target MAC address, is the hardware address of the destination node of this packet. In this example, the least significant bit of the first byte indicates that this is actually a multicast address. 00 00 bc 03 4b 97 The second field is the source MAC address. This is the hardware address of the originating node of this packet. 08 00 The final field of the Ethernet header is the protocol type field. It refers to the type of protocol that appears in the next higher layer (the network layer of the OSI communication model). In out case, 08 00 indicates that the next higher protocol is Internet Protocol (IP). Internet Protocol (IP) Header Data i.e., Packet Header: Network Layer 01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00 00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0 2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00 0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00 00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f a1 2e 4 The first four bits of the IP header indicate the IP version that is being used. In this case it is version 4. 5 The second four bits represent the IP header length. The length is the number of 32-bit (4 byte) data words. The default value is 5, or 20 bytes. If this field is greater than 5 it indicates that there are options present. If the field is less than 5 it is an illegal header length. 00 The next byte of the header represents the precedence and type of service of the data. The precedence tells the receiving IP gateways and routers along the network path the importance of the data it is carrying. It is not often used, but is available. The last five bits of this byte are the type of service bits. The Delay bit requests a route with the least amount of propagation delay if set to 1. The throughput bit, if set to 1, requests that IP routers have the datagram travel over the paths with the highest throughput. The Reliability bit, if set to 1, requests that the datagram travel over the route with the least chance of lost data. The last two bits are reserved and always 0. 00 44 The total IP length field indicates the total length of the datagram, including the IP header and all the data behind it. 1f 17 The datagram ID number is a host-specific field that carries a unique ID number for each datagram sent by the host. If fragmentation occurs during transit, each fragment of the datagram will have the same datagram ID number. The “fragmentation bytes” of the IP header contain data for use if fragmentation is necessary. The “Don’t Fragment” bit demands that the message not be fragmented The “More Fragments” bit is set when there are additional fragments of the original datagram to be sent. The thirteen Fragment Offset bits contain the offset of this particular fragment in the original message. There is no fragmentation in our example. 00 00 01 The Time to Live byte indicates the number of hops (or routers) it can travel through before being discarded. 11 The Protocol field indicates the ID number of the higher level protocol. In this example, the ID number is 11 which represents User Datagram Protocol (UDP). 3f 3e This is the IP header checksum field, which provides error checking on the IP header only, not on the data. 83 c8 b9 6b station). (131.200.185.107) This is the source IP address (IP address of the originating ef c0 2e 60 (239.192.46.96) This is the target IP address (IP address of the destination station). In our example, this actually represents a multicast address. User Datagram Protocol (UDP) Data 01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00 00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0 2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00 0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00 00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f a1 2e ff ee This is the source port where data originates from. 08 ae This is the target port, where the data is sent to. 00 30 This is the message length. It refers to the length of the total message, including the data and UDP header. 86 3c today. This is the UDP checksum, which is optional but is used in most applications Control and Information Protocol (CIP) and Data 01 00 5e 40 2e 60 00 00 bc 03 4b 97 08 00 45 00 00 44 1f 17 00 00 01 11 3f 3e 83 c8 b9 6b ef c0 2e 60 ff ee 08 ae 00 30 86 3c 02 00 02 80 08 00 0f ca 01 08 e7 21 02 00 b1 00 16 00 a3 c8 3c 00 00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f a1 2e 02 00 This is the Item Count. It is the number of “Common Packet Format” items to follow. There must be at least 2. For UDP CIP packets, this value will always be set to 2. 02 80 This is the Type ID, indicating that this is a Sequenced Address Type. 08 00 This is the length of the address data, which includes the connection identifier and the sequence number. 0f ca 01 08 This is the connection identifier. Each connection has a unique identifier to differentiate it from other connections. 0f ca 02 00 This is the Sequence Number, which indicates the sequence of packets for this particular connection. b1 00 This is the Data Type ID, indicating a connected data type. (This is the only value that we will see in this field, since we will always have a connected data type.) 16 00 This is the length of the data in the packet. There are twenty two bytes of data. a3 c8 3c 00 00 c8 50 05 fe 05 7a 20 ff 7f ff 7f ff 7f ff 7f a1 2e The data.