Analyzing GCode with Wireshark, lots of Gcode Duplicates in Packet Capture, Why?


I have been working on project where I am interested in using Wireshark to analyze Gcode instructions as they travel through my instance of Repetier Server (running on Raspberry pi) and into my printers.

I have successfully been able to view and monitor Gcode instructions in my packet captures and confirm them in the print.log files. All is good.

The issue I am having is that I am finding the some Gcode instructions are present in the wireshark packet capture multiple times. In fact I have observed the same Gcode instruction up to 60+ times in one packet capture. Why is this? It seems as though there entire chunks of duplicated Gcode being observed in Wireshark. I even searched for specific lines of Gcode that would only run one time in a print and they too appeared multiple times in my packet capture?

Furthermore, I have observed Gcode instructions in my Wireshark captures that were NOT present in the Print.log files and I am unsure as to why they are listed in my packet capture and the only data that should be in my Wireshark capture is the data from the Gcode file I selected.

For example, "N11162 G1 X83.925 Y81.942 E11.77469" this line of Gcode appears 20+ times in my Wireshark Capture TCP Stream. But is not a command that can be found in my Print.log file. Why is it showing up in my Wireshark capture? Any help appreciated.


  • I wonder you see it at all. We send gcode to printer via usb. On network you see it when you are watching console. But without knowing what exactly you are monitoring and how many connections it is hard to say. When you check the websocket in browser you can see the frames send forth and back which is easier to read I guess. That is the data send via network and should be the same you see. Of course every open connected browser window has one of these sockets for communication.
  • edited May 4
    So I am running Repetier server connected to 2 printers. And I am monitoring over the network (ethernet). I have a laptop connected to a Raspberry pi running Repetier server which is then connected to the printers. When I send a print to the printers I can see the gcode that was sent to each printer, but seems like every command sent to both printers is duplicated multiples times. Even if I were only using one printer, the commands are repeated even though they are a single command. like I said, some chunks of commands seen in Wireshark will be repeated 60+ times. I am wondering if Repetier has any underlying processes that may be echoing every command coming across the wire and maybe that is why I am seeing lots of duplicates of the same commands?

  • Can you show a screenshot of what you mean. I have only once used wireshark so not familiar with what you see. Does it only show new package or does it resemble the connection and repeat the data for all blocks with every new package added to it. Also which url are you monitoring?

    I'm pretty sure I'm not sending same command 60 times, but there are queries that get repeated every x seconds e.g. printer status. But without seeing the complete message I have no idea which communication part you are seeing so hard to give qualified responses. You can use for example to upload images and post links here.
  • edited May 4
    I would be able to send you a screenshot but I think it would be more confusing to try and decipher the lines only via a screenshot.
    I have actually decided to monitor the Websocket traffic in Browser and it is slightly easier to read. Now my question is this: When monitoring the websocket traffic I am seeing Gcode in the response frames even though my printer is sitting Idle? I am not sending any prints to my printers and yet I am still able to see lines of gcode being transmitted

    Does repetier save gcode from previously run prints? I am unsure as to why I am seeing gcode responses from the server while the printers are sitting idle. Is repetier just echoing previously run commands?
  • There is at least a request to log to say to return the last 1000 lines instead of only the new ones. This should be called when you change log options in console, otherwise only the additional communication should be shown. The request "action":"response" queries past communication starting with start and when start is 0 it copie sthe last 1000 lines or so. Response the looks like this:
    { "lastid": 2997, "lines": [ { "id": 1998, "text": "N532 M105", "time": "19:55:50", "type": 1 }, { "id": 1999, "text": "ok 532", "time": "19:55:50", "type": 2 }, { "id": 2000, "text": "T:25.47 /0 @:0 T0:25.47 /0 @0:0 T1:25.47 /0 @1:0", "time": "19:55:50", "type": 2 }, { "id": 2001, "text": "wait", "time": "19:55:51", "type": 2 }, { "id": 2002, "text": "N533 M105", "time": "19:55:51", "type": 1 }, { "id": 2003, "text": "ok 533", "time": "19:55:51", "type": 2 }, { "id": 2004, "text": "T:25.35 /0 @:0 T0:25.35 /0 @0:0 T1:25.47 /0 @1:0", "time": "19:55:51", "type": 2 } ], "state": { "activeExtruder": 0, "debugLevel": 6, "extruder": [ { "output": 0, "tempRead": 25.4, "tempSet": 0 }, { "output": 0, "tempRead": 25.39999961853027, "tempSet": 0 } ], "fanOn": false, "fanVoltage": 0, "firmware": "Repetier_0.92", "firmwareURL": "", "flowMultiply": 100, "hasXHome": false, "hasYHome": false, "hasZHome": false, "heatedBed": { "output": 0, "tempRead": 0, "tempSet": 0 }, "layer": 0, "numExtruder": 2, "powerOn": false, "sdcardMounted": true, "speedMultiply": 100, "x": -21, "y": 0, "z": 0 } }

    When I add a "lines" filter in chrome websocket stream I only see incremental updates. But again if you post one of the responses and request to it, it is easier to answer. I'm very interested just because if it repeats all it is not meant to happen, just I do not see it where I'm looking for it. So either you look at something different or there is a case where it happens.

  • Yes When I was observing the Websocket traffic in Fire fox the request "action":"response" is what I was referring to. That is helpful to know that it queries past communication of the last 1000 lines. That likely explains why I see lots of duplicates of Gcode that has already been run showing up in my wireshark captures.

    Im curious though, why does Repetier server save/query the last 1000 lines of code? And also, why does it broadcast it as network traffic. I am a cybersecurity student and being able to see that type of information in plaintext transmitted over the network may be a serious security concern if there was a bad actor on my network.

    I am just interested in seeing the live, incremental updates of my gcode passing over the wire. If I am just interested in the traffic passing over USB to the Printers I should theoretically only see the gcode I manually send to the printer correct? I shouldn't see all the websocket requests and replies if I am just focusing on USB traffic.

    I appreciate your timely responses also, I have learned alot from this project and being able to use Repetier, Im glad I was actually able to receive helpful replies from you.

  • Note that only when start is 0 you get all lines. That normally does only happen when you change console settings so gui can refetch communication with new filter settings. Every response has a position pointer like "lastid": 2997, and next request should set start to that value, which is does in my check for the normal gui.
  • Understood, Yes I can see that when the Start value is zero, the server returns the last 1000 lines, which also seems to just be whatever lines are present in the console log of the printer.

    So since I am only interested in the the gcode instructions that are sent to the printer over the network is there anyway I can tell the server to stop echoing the last 1000 lines or can I manually set the start value to something other than '0' so that the "action":"response" requests are not clogging my Packet captures with thousands of lines of repeated Gcode?        

    Again the main goal for me here is to
    1. Send a gcode file to 2 printers via Repetier server
    2. use wireshark to capture the network traffic so that I can view the instructions being sent to the printers

    The issue I am running into is, as you said, the server is returning the last 1000 lines of code every time a "action":"response" request is made. This is causing my packet captures to be incredibly clogged with lines of gcode that have already been ran.

  • Ok, no idea how I could miss that, but it is a bug in the gui code. It requests every 3 seconds complete backlog, while there is a log event adding updates as well. I will update log handling for next update so we reduce traffic for 1.0.5 onwards.

    What exactly are you trying to do that you need to monitor network traffic to get some data? That sounds like the worst solution possible since it means you need to have at least one gui running so you get the traffic at all. In server you can add scanners for communication in/out and execute actions when some you are interest in are send. When log options are not set to watch commands they even will not be in the data communication, and of course I have not to say that it very error prone.

    You can also make your own websocket channel and just send you are interested in log lever xy and get all data in "log" events free house. No need for the wireshark hack.
  • Ok great, and to answer your question, it does seems like a bad solution using wireshark to monitor traffic but in my situation I am trying to understand the raw traffic as it passes over the network, specifically the gcode files for a print, so I want to be able to see everything. Wireshark is just the tool I used to look at this data. The same data can be seen in the Websocket analzyer in firefox.

    I may try making my own websocket. Or attempt to view the raw USB traffic. Thank you for your replys and help.

  • Repetier said:

    In server you can add scanners for communication in/out and execute actions when some you are interest in are send. When log options are not set to watch commands they even will not be in the data communication, and of course I have not to say that it very error prone.
    Would you be able to provide some clarification for where I can add these "scanners". This sounds like it would be very helpful for my situation

  • In printer configuration->g-code there are rules to analyse responses and also to modify g-code that is about being send. Both can trigger extra commands or events you can watch for.

    BTW: The function that always read the 1000 lines was not interested in the log but in the state part, so it will not check any line in future. Only when you are in console logs will be queried at start, but still the log event is set to provide matching data. But that is initially off for ack and commands.
Sign In or Register to comment.