This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have a Modbus capture file that contains a total of 133,000 packets. Among those packets are 1,500 error register queries.
How is a filter created to display the non-zero responses to that register query?

asked 10 Aug '15, 09:19

capesp's gravatar image

capesp
6113
accept rate: 0%


That's a bit tricky as there's no real "direction" indicator in Modbus so you'll maybe have to use the source IP address, are all the responses from the same RTU? If they are, use the RTU address as the source IP address, if not use the master's address as the destination IP address.

In addition, determining an error from a reply is done with the function code, an error has 0x80 added to the function code. I think you'll need something like:

(ip.src == "RTU IP") && (modbus.func_code < 0x80).

permanent link

answered 10 Aug '15, 09:42

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 10 Aug '15, 09:42

Thank you, Graham, for your quick response.

The register data in the valid Modbus response contains the slave device error status that can be OR'd to include more than a single error. This requires a register data search for any non-zero data value.

The captured Modbus traffic is between only two devices 192.168.2.31 and 192.168.1.102. Filtering on FC '3' reduces the packet count to 98K, while filtering on (modbus.reference_num == 2110) reduces packet count to 1534.

The core of the problem is to identify the non-zero register values in the responses to a FC '3' query of register '2110'.

(10 Aug '15, 10:01) capesp

OK, so not a modbus error, but a specific data value. Are the requests only for the single register 2110, or is that register found in other requests, maybe in the middle of a block?

If the register result is always at a specific offset in the response then a filter can be constructed for the offset.

(10 Aug '15, 10:19) grahamb ♦

The request is always for the single register 2110 with FC 3.

(10 Aug '15, 11:34) capesp
1

That's more difficult as the response has no indication of which register(s) was requested, so this would require pattern matching across both the request and response which Wireshark filters can't do.

If all the read holding register (FC 3), single register responses are for the required register address then a filter can be constructed for the specific bytes you're interested in, however if there are reads for other single register addresses mixed in then this can't be done.

The Modbus dissector could be enhanced to add conversation info to the response indicating the requested register addresses to allow such a filter to be created. The Wireshark Bugzilla is the place for an enhancement request.

(11 Aug '15, 03:38) grahamb ♦

I appreciate your help and insight, Graham.

The answer was not as promising as I had hoped. Your suggestion for an enhancement to the Modbus dissector is the most probable solution in the long-term. A macro along with some manual searching might be the only way to identify the error packet in the short-term.

An expansion of the 'conversation' feature to a 'query conversation' would be a natural and useful extension of the Modbus dissector.

(11 Aug '15, 15:41) capesp
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×32
×1
×1

question asked: 10 Aug '15, 09:19

question was seen: 2,066 times

last updated: 11 Aug '15, 15:41

p​o​w​e​r​e​d by O​S​Q​A