Hi, I have an old black box speaking Modbus RTU and DNP3 over serial, and want to migrate that to a new computer to do the exact same thing, but I can't find info about this custom made black box and the configuration it uses for this protocols, so I want to sniff its terminals. My idea is to use a serial to TCP/IP converter such as Lantronix to encapsulate this serial data and sniff it with Wireshark, but I'm not sure if it recognizes the protocols when they are actually the serial versions only encapsulated over a TCP frame. Any hint will be appreciated. Thanks! asked 12 Mar '15, 20:26  japz87 |
2 Answers:
Yes. However it sounds as though you are trying to capture an existing serial connection, so a simple terminal server might not be enough if both ends are fixed as serial. answered 13 Mar '15, 02:43  grahamb ♦ |
Wireshark's unlikely to recognize those protocols in that case. The Lantronix boxes probably translate byte streams from the serial port into Telnet or SSH or... sequences. The same is probably true of most serial-to-{Ethernet,Wi-Fi,etc.} boxes. If no encryption is done (raw Telnet) Wireshark can dissect the packets at the Telnet level, but it doesn't include any support for dissecting the byte streams transferred by Telnet as if they were Modbus or DNP3 or... packet sequences - the Modbus, DNP3, etc. dissectors in Wireshark are oriented towards dissecting the official encapsulation of those protocols inside Ethernet or some Internet transport protocol, not towards dissecting the serial port versions when transmitted over Telnet, and the Telnet dissection code doesn't know about them. If they're transmitted over SSH, then Wireshark won't even be able to decrypt the traffic, much less dissect it. answered 13 Mar '15, 13:48  Guy Harris ♦♦ |
Sorry Guy, this is incorrect. Lantronix and their cheaper equivalent terminal servers, can easily be configured to operate in a plain transport mode, so capturing the IP traffic with Wireshark is trivial and the protocols discussed in the question all dissect successfully. I do this nearly every day in my day job with the protocols mentioned and was the reason why I got started with Wireshark dev.
Generally the "master" end of the link, usually a SCADA\HMI application, runs on a PC and is configured for direct TCP/IP use, or a virtual COM port provided by the terminal server vendor, and it connects over Ethernet to the terminal server which then communicates with the field device using the serial interface.
Some telemetry protocols do not change when run over TCP/IP, e.g DNP3 which keeps it's serial protection mechanism of a 16 bit CRC every 16 bytes, some have variants, e.g Modbus has Open Modbus TCP along with the standard serial versions (Wireshark dissects both) and some have a specific variant that is to be used over TCP/IP, e.g. IEC 60870-5-104.
Where @japz87 might come unstuck though, is if they can't configure either the "black box" or the device to use TCP/IP or a virtual COM port. They might be able to configure 2 terminal servers back to back and then capture on the Ethernet link between them. but I've never need to do that.