This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Possible to setup Wireshark to use alternate port for Modbus TCP?

0

Hello -- We have a server setup to act as three separate Modbus "slave servers". One uses the standard Modbus TCP port 502. The others use ports 503 and 504, respectively. When we use Wireshark to look at network traffic, it has no problem recognizing all port 502 traffic as Modbus TCP protocol. However, it does not recognize the other port traffic as Modbus TCP. Is there some "easy" way to configure Wireshark to see 502, 503, and 504 for Modbus TCP? Thanks for any ideas. Regards, Steve

asked 11 Sep '12, 13:11

sreiner's gravatar image

sreiner
1111
accept rate: 0%

One Answer:

0

You could select a packet of one of the flows on those ports and use the popup menu to choose "Decode As" -> "Transport" -> "Modbus/TCP".

answered 11 Sep '12, 13:49

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi,

any idea why "Modbus/TCP" is not listed when chosing "Decode As" -> "Transport"?? However, Modbus/TCP packets on port 502 are disected as "Modbus/TCP"

(Wireshark 1.10.7)

(22 May '14, 04:31) Alfonso

I'll just say "Decode As" ... does show Modbus/TCP for me in Wireshark-1.10.7. I'd suggest trying again. :)

(22 May '14, 05:55) Bill Meier ♦♦

Well, it does... I was doing "Decode As" on UDP packets. It shows up on TCP, though. What I was trying to decode is our Modbus/TCP broadcasted over UDP.

Thanks a lot.

(22 May '14, 06:44) Alfonso
1

see: modbusudp-support

(22 May '14, 06:51) Bill Meier ♦♦