Network record with TCPdump


With the command "tcpdump" it is possible to capture all the Ethernet communication packets the controller receives and sends.
This is a useful feature for analysing network applications and possible misbehaviour of network devices.

See also the tutorial video Tutorial Video - WinSCP and a few useful Linux commands

You can find the complete documentation of "tcpdump" on

Example recording

Often it is necessary to record the network communication over a long period of time to capture sporadic errors.
For this kind of recording a ring buffer is a good compromise between time to record and used memory on the device.

This example shows how a ring buffer is set up that stores incoming packets (TCP via SSH port) into 10 files, with each file up to 10 MB in size.
When the last file has reached 10 MB, the first one will be overwritten.

Example command: "sudo tcpdump -s 0 -W 10 -C 10 -w testFile -i eth0 tcp port 502"

Please note: You must be logged in as super user.




Calls the program

-s 0

Set the Max. recorded Packet size at 262144 Bytes

-W 10

Amount of files = 10

-C 10

Size of each file in million Bytes (not MB)

-w testfile

Filename where the recording is stored. (testfile0 ... testfile9)

-i eth0

Selecting the ethernet interface that will be recorded = eth0

tcp port 502

Filter setup = only ModBus TCP Packets will be recorded.

​Table 1 tcpdump ring buffer configuration

The recorded files can be directly displayed on the shell ("tcpdump -r filename") or downloaded with e.g. WinSCP (How to use WinSCP) and opened with Wireshark. For the second way the default download path on your controller is: /opt/plcnext .

If you are interested to stream the tcpdump record file directly to your remote PC, just go ahead the following FAQ.
Can I send TCP-dump traffic to a remote location for more/longer analysis