This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

ModBus TCP continuously disconnecting

0

Hi, I have a Modbus device connected to an ABB CI867 interface using a Modbus/TCP converter. Connection keeps on dropping every 2 seconds. I have some issue understanding the WireShark analysis. Could anyone help me?

Here is the Scan: https://www.cloudshark.org/captures/e383e599f1b4

Thank you for your help

asked 19 Mar '14, 17:43

Beber_NC's gravatar image

Beber_NC
1111
accept rate: 0%


2 Answers:

0

Did you notice that the last message before the FIN packet in each session contains "RTU check CRC failed, Receive query again" ?

answered 19 Mar '14, 22:43

mrEEde's gravatar image

mrEEde
3.9k152270
accept rate: 20%

0

As per the answer by @mrEEde the RTU (172.19.197.32) is returning some ASCII text after its response to the query request, and it's likely that the Modbus master is choking on this and subsequently closing the connection.

The text "RTU check CRC failed, Receive query again" looks like some form of diagnostic output from the RTU which shouldn't be sent over the data connection. Note that when using Modbus/TCP the standard Modbus CRC isn't used, is the RTU actually a serial device connected via some form of terminal server I see you are using a Modbus/TCP converter, maybe it is incorrectly configured?

Another observation in your capture is duplicated packets, probably due to your capture setup involving mirroring or spanning switch ports. These dups can be removed by using editcap.

A final observation is that your capture also contains traffic not relevant to your question, that leaks details about your network environment, e.g. netbios-ns packets. You might want to filter your captures a little better before posting them publicly, although I don't think you've let anything too bad out this time.

answered 20 Mar '14, 03:13

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%