How to Use Wireshark to Capture and Analyze EtherCAT Packets?

Applicable Scenarios

EtherCAT boasts excellent openness, fast speed, and low implementation costs, allowing customers to choose from an almost limitless range of slave devices – I/O, drives, sensors, and more. Consequently, it is common to see a control system incorporating EtherCAT slave devices from various brands in the field. When EtherCAT communication errors arise, such as Sync Lost or Data Invalid, troubleshooting is necessary, as the issue may stem from any one of the slaves, sometimes making the process quite cumbersome.

The TwinCAT development environment provides comprehensive diagnostic functions, and Beckhoff, along with the ETG, has also introduced EtherCAT diagnostic guidelines. The more thoroughly users understand the transmission mechanism of EtherCAT, the easier it becomes to pinpoint the source of faults during diagnosis. At a minimum, users should comprehend concepts such as Working Counter, Sync Unit, Task, Frame, Mailbox, and, for those using servo drives or XFC functionality, the concept of the DC clock.

While there is an abundance of PPT and PDF materials on this subject, seeing is believing. The Wireshark software tool, paired with the appropriate hardware, can capture Frames from any location within the EtherCAT network and analyze their composition. Each Frame is timestamped, and observing all Frames within a certain time frame not only aids in identifying abnormalities but also deepens understanding of the EtherCAT transmission mechanism. Almost every technical detail related to EtherCAT and the impact of each setting option can be analyzed and verified through captured Frames. It's like observing bacteria under a microscope – not only knowing they exist but also seeing their quantity, types, shapes, and activities, verifying each relevant description in medical textbooks. 

Introduction to Wireshark's Packet Capture Functionality

If the controller is running a standard Windows system, you can directly install the Wireshark tool software to capture EtherCAT data frames from the local network interface. As shown in the figure:



  This method has certain limitations: it does not support WindowsCE or TC/BSD, nor does it support third-party controllers; it is not suitable for analyzing data with precise timing requirements for cyclic refreshes or clock synchronization issues; and it lacks precise timestamps to indicate CRC errors.

Beckhoff provides specialized hardware, the ET2000, which can be connected to any junction in the network:


 The ET2000 can capture data packets from up to 4 links simultaneously. Simply connect its upstream network port to a PC with Wireshark installed, and you can capture and analyze the data. The ET2000 provides timestamping at the nanosecond level, can detect CRC errors, and supports any operating system.

Wireshark supports the EtherCAT protocol, allowing it to parse all contents of EtherCAT data packets. It enables precise analysis from bits to individual datagrams, allowing you to see various specific function frames sent during the master station initialization phase, observe the process data of each slave station during the OP phase, and track changes in the Working Counter of round-trip data packets, among other things. As shown in the figure:


These data packets can be marked for anomalies or filtered for display.

They can be saved as-is and sent to remote engineers for analysis in Wireshark, or only the filtered content can be exported and analyzed in Excel.

Wireshark Usage and Application Examples

I've been using Wireshark for some time, but after seeing the PPT created by ETG experts, I realized there were so many hidden features I hadn't utilized before. It's a powerful analysis tool.

Special Note: The ET2000 cannot pinpoint all the root causes of EtherCAT faults, but it provides more in-depth and detailed first-hand information from the field. Identifying the causes of faults still relies on experienced engineers to analyze this information. Additionally, TwinCAT's diagnostic interface already includes most diagnostic functions, meeting basic diagnostic needs.  

Possibility of Using Regular Switches for Packet Capture

Due to the high cost of the ET2000, not every engineer has access to it. Through testing, it has been found that certain regular switches can largely replace the functionality of the ET2000 for EtherCAT packet capture, but with a few notes:

  • Timestamp Resolution: The biggest difference between regular switches and the ET2000 is the timestamp resolution. Regular switches typically provide timestamps at the microsecond (us) or 1000ns level, while the ET2000 offers timestamps at 0.01us or 10ns. This means that if two frames are within 1us of each other, Wireshark will recognize them as "simultaneous." In other words, the regular switch cannot distinguish time differences below 1us.

  • Potential Adverse Effects: The impact of regular switches on normal EtherCAT communication has not been fully evaluated. Short-term testing under laboratory conditions did not reveal any significant impact. However, the product specifications indicate a packet buffer size of 448k.

  • Other Options: On Amazon, we found an "EtherCAT/Profinet/Powerlink Ethernet Analyzer, EtherCAT Packet Capture Tool" that claims to offer 1ns timestamp resolution. The price is not cheap, and there is no branded manufacturer, suggesting it may be a DIY project by enthusiasts in the industry.

  • Not Recommended: RJ45 Splitters. Some products available on Amazon, which do not even require power and simply split electrical signals, do not have frame buffering capabilities. This physical layer modification to EtherCAT transmission can significantly affect it, with changes in contact resistance and EMC performance potentially impacting normal EtherCAT communication. Therefore, their use is not recommended.