How to see the OPCUA connection with wireshark

Hi everyone,

I am trying to monitor the OPC UA connection between Ignition and client with wireshark, i set wireshark to check ports 4096 and 8088 but i am only seeing TCP/UDP communications :frowning: , i am trying to achieve something like the snapshot in the attached file. Pleaseeee!!! could anyone help? I have been on this for days

Ayodele Fasika

Make sure the connection has no security set up on it.

Yeah, but I already disabled the firewalls on the client and on the server systems, i am thinking perhaps there’s something i’m missing or something i did not do.

I mean in the UA connection settings, you have to turn encryption off.

Hi, thanks, we tried it already, i changed the setting in the OPC Connections from SIgnandEncrypt to just Sign, but i’m not still getting communications. Also in wireshark i am listening from port 8088 and 4096, could this be the problem? I am still seeing only TCP/UDP communication.
DO you perhaps have any more suggestions?


Do you have Wireshark running on 3rd machine?

Ok let me explain the configuration:
Ignition server is installed on a system with a PLC connected to it, i connected to the PLC from a client PC through the server, the connection was established and we can see that it is connected. I tried to monitor the communication using wireshark on the server and on the client system, but i have not been successful so far.
I need to present this product to my superiors but i want to show them the OPC UA communication with wireshark.

Wireshark must be running on the same computer as the Ignition server. The only way that I know of to get around this is to use port mirroring on your router.

If your server has multiple NICs make sure the Wireshark capture is started for the one that Ignition is going through to communicate to the PLC.

Keep in mind that Wireshark will show all communications going in and out of the server including non Ignition communications. It can get very confusing trying to narrow down on the packets of interest. You can use the filter but, I find it best to set the capture filter to the PLC’s IP address and not by port as shown in the attached image.

Notice in the image behind the dialogs that only packets that involve IP address are shown.

You should set both the “Security Policy” and “Message Security Mode” setting to None.

Thanks for the tip, i already tried it, if you see the attached image, is the server and is the PLC, i did everything you asked. It is giving me TCP packets, maybe because i am new to this field but i was expecting to see opcua secure message packets just like the first screenshot at the beginning of this conversation thread or is there a way i can analyze this to prove that it is OPC UA? because i already tried to make some research but i wasn’t successful. I would appreciate anymore suggestions you may have.
I just started working in this field 2 weeks ago.


Thanks, i think i figured it out, when i followed a TCP packet i saw the encrypted information shown in the snapshot, i guess this is the connection.

No problem, we all had to start at the beginning.

What type of PLC are you connecting with?

When viewing the communications between the an OPC-UA server and a PLC, you will not see opcUA protocol show up in Wireshark. That is unless the PLC has a built in OPC-UA server (I can only hope this will be the case in the future). Instead, you will see protocols like Modbus, EIP, CIP, in some cases just TCP packets, etc. depending on the brand and model of the PLC you are communicating with.

You will see opcUa protocol packets in Wireshark if you configure Ignition to connect to an external OPC-UA server (such as Kepware).

Thank you very much!!!