This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I need a tool to log Ethernet based Modbus TCP transactions to/from a specific IP address different than the PC running Wireshark. Can I do this with Wireshark and can you point me to someone that can push me off in the right direction after I've downloaded Wireshark?

asked 23 Nov '10, 14:43

chuckh's gravatar image

chuckh
1111
accept rate: 0%


First step - capture some traffic - ya gotta be in the path somewhere to capture it. Then... look at it - does Wireshark dissect it (there is a Modbus dissector - mbtcp I think).

Here's a nifty doc showing a group who used Wireshark to analyze malicious Modbus/TCP traffic.

http://critis08.dia.uniroma3.it/pdf/CRITIS_08_26.pdf

permanent link

answered 23 Nov '10, 18:53

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

I'm no expert, but I'll give it a shot. I think you need a network adapter that supports promiscuous mode. If you have that capability, I think you should be able to accomplish what you want. You can download WinPCap for free if your driver doesn't have promiscuous mode.

permanent link

answered 23 Nov '10, 16:56

ActualRandy's gravatar image

ActualRandy
46224
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×115
×87
×32
×28

question asked: 23 Nov '10, 14:43

question was seen: 8,214 times

last updated: 23 Nov '10, 18:53

p​o​w​e​r​e​d by O​S​Q​A