This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark doesn’t display the longer data fields (mbtcp)

0

Hello,

I'm using tshark to get some packets from a pcap file, and some of the data fields (the longer ones) are not displayed. For example:

10.0.100.211    10.0.2.234  68  126 05:03:01:00:00:30
10.0.2.234  10.0.100.211    70  126 07:03:01:00:00:30:08:83
10.0.100.211    10.0.2.234  68  126 05:03:10:00:00:30
10.0.2.234  10.0.100.211    100 126 
10.0.100.211    10.0.2.234  68  126 05:03:01:0f:ff:51
10.0.2.234  10.0.100.211    70  126 07:03:01:0f:ff:51:00:01
10.0.100.211    10.0.2.234  68  126 05:03:08:00:01:51

As you can see - the 4th packets' data isn't displayed.

This is the command line I use:

tshark.exe -nr 1.pcapng -Y "mbtcp" -T fields -E header=y -e ip.src -e ip.dst -e frame.len -e modbus.func_code -e modbus.data > 1.txt

And here is some input and output data: https://www.dropbox.com/sh/9jlq93td5kahhir/a3cZTTWEhd

I've went over the tshark specs, but it doesn't say anything about fields lengths...

Is this a bug? Am I missing a flag?

Nitay

asked 12 Dec '13, 05:58

nitay's gravatar image

nitay
11224
accept rate: 0%

converted 15 Dec '13, 01:31

One Answer:

2

I think it's a bug.

As you're using a non-standard Modbus function code (126), the data isn't dissected by the the normal Modbus routines. Instead the data is handed off to any dissectors that are registered in the "Modbus Data" table. This table allows other dissectors to register so that they can dissect data that is outwith the bounds of standard Modbus.

With my built version of Wireshark (SVN Rev 53869 from /trunk with default preferences), the openSAFETY dissector registers with the Modbus Data table. If the data is greater than the minimum openSAFETY package size (11 bytes) then the openSAFETY dissector tries to dissect it and fails but erroneously tells the Modbus dissector that it did dissect the data, so the Modbus dissector doesn't take the fallback option of passing the data to the generic data dissector that produces the hex strings you see in other packets where the data is smaller than the minimum openSAFETY package size.

To prevent the openSAFETY dissector from attempting to parse the data you can turn the preference off using the command line flag -o "opensafety.enable_mbtcp:0".

You should raise an entry on the Wireshark Bugzilla, attaching your capture to ensure this is fixed.

answered 15 Dec '13, 06:23

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

filed a bug. Thanks!

EDIT [@Kurt]: Bug 9572

(17 Dec '13, 05:56) nitay