S7 Communication (S7comm)

S7comm (S7 Communication) is a Siemens proprietary protocol that runs between programmable logic controllers (PLCs) of the Siemens S7-300/400 family.

It is used for PLC programming, exchanging data between PLCs, accessing PLC data from SCADA (supervisory control and data acquisition) systems and diagnostic purposes.

The S7comm data comes as payload of COTP data packets. The first byte is always 0x32 as protocol identifier. Special communication processors for the S7-400 series (CP 443) may use this protocol without the TCP/IP layers.

OSI layer



Application Layer

S7 communication


Presentation Layer

S7 communication


Session Layer

S7 communication


Transport Layer

ISO-on-TCP (RFC 1006)


Network Layer



Data Link Layer



Physical Layer


To establish a connection to a S7 PLC there are 3 steps:

  1. Connect to PLC on TCP port 102
  2. Connect on ISO layer (COTP Connect Request)
  3. Connect on S7comm layer (s7comm.param.func = 0xf0, Setup communication)

Step 1) uses the IP address of the PLC/CP.

Step 2) uses as a destination TSAP of two bytes length. The first byte of the destination TSAP codes the communication type (1=PG, 2=OP). The second byte of the destination TSAP codes the rack and slot number: This is the position of the PLC CPU. The slot number is coded in Bits 0-4, the rack number is coded in Bits 5-7.

Step 3) is for negotiation of S7comm specific details (like the PDU size).


The protocol is used by Siemens since the Simatic S7 product series was launched in 1994. The protocol is also used on top of other physical/network layers, like RS-485 with MPI (Multi-Point-Interface) or Profibus.

Protocol dependencies

S7 communication consists of (at least) the following protocols:

Example traffic



The S7comm dissector is partially functional.

Preference Settings

(XXX add links to preference settings affecting how PROTO is dissected).

Example capture file

Display Filter

A complete list of PROTO display filter fields can be found in the display filter reference

Show only the S7comm based traffic:


Capture Filter

You cannot directly filter S7comm protocols while capturing.

S7comm uses port 102, so it is possible to capture S7comm data by using the capture filter

tcp port 102 


S7comm (last edited 2016-05-13 21:10:09 by ThomasWiens)