This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

When working on a bug in a modbus server implementation I nodiced that when the modbus display filter cannot decode the packet (due to a protocol error in the message) the remaining data is printed like:
'Data: 0113feb0800000010000047b'

However it is not made clear to me that this packet is actually erroneous.

After solving the bug (the server was responding with more bytes than the client asked for) the modbus message was further decoded like:
Register (0): 276
Register (0): 65198
Register (0): 32768

Wouldn't it be a good idea to use the display filter to mark packets with (clear) protocol errors?

asked 21 Oct '14, 05:29

kneh's gravatar image

kneh
11112
accept rate: 0%


Because there are proprietary (unpublished) extensions to the Modbus protocol, if the dissector comes across a function code it can't handle, then the dissector just calls the generic "data" dissector that generates the display you saw.

So with this dissector its a bit hard to definitively spot a protocol error.

permanent link

answered 21 Oct '14, 08:00

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×32

question asked: 21 Oct '14, 05:29

question was seen: 2,710 times

last updated: 21 Oct '14, 08:00

p​o​w​e​r​e​d by O​S​Q​A