When working on a bug in a modbus server implementation I nodiced that when the modbus display filter cannot decode the packet (due to a protocol error in the message) the remaining data is printed like: However it is not made clear to me that this packet is actually erroneous. After solving the bug (the server was responding with more bytes than the client asked for) the modbus message was further decoded like: Wouldn't it be a good idea to use the display filter to mark packets with (clear) protocol errors? asked 21 Oct '14, 05:29  kneh |
One Answer:
Because there are proprietary (unpublished) extensions to the Modbus protocol, if the dissector comes across a function code it can't handle, then the dissector just calls the generic "data" dissector that generates the display you saw. So with this dissector its a bit hard to definitively spot a protocol error. answered 21 Oct '14, 08:00  grahamb ♦ |
