This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

modbus/tcp register address display look like a relative.

0

my customer captured that modbus/tcp data from PLC to PC.
i want to find a unique int32 value by register address.
but the data displayed register address look like a relative.
e.g.
Register 0(INT32):123
Register 2(INT32):123
Register 4(INT32):123

I want to display look like a absolute.
e.g.
Register 40001(INT32):123
Register 40003(INT32):123
Register 40005(INT32):123

How's it change configure or solution.
please tell me.
Regards.

asked 13 Feb '17, 04:09

Rockman29's gravatar image

Rockman29
6114
accept rate: 0%


One Answer:

2

You can't (without modifying the Modbus dissector), however it's mostly a matter of convention.

Modbus "programmers" (humans or software tools) use 1-based register addresses such as 40001 to indicate a 16 bit holding (output) register, but in the "over-the wire" protocol that actually becomes a "Read Holding Registers" command (0x03) with a starting address 0f 0x0000, as the protocol uses 0-based addresses and this is the source of lots of confusion. Similarly an input register "programmers" address such as 30001 appears as starting address 0x0000 for a "Read Input Registers" command (0x04).

The dissector displays the 0-based addresses of the protocol, not the 1-based addresses that "programmers" may be more familiar with. There are also Modbus programming tools out there that use the 3xxxx and 4xxxx based addresses but are 0-based, and there are other manufacturers, e.g. Koyo that instead of a leading 3 or 4 digit use text strings such as IR or HR (for Input Register and Holding Register respectively) and either 0-base or 1-based starting addresses.

There are further conventions such as combining multiple registers to create larger values, such as 2 off 16 bit registers into a 32 bit value, which the dissector does support in the preferences that allows you to set the Holding/Input Register format (as we can see from your example), but note that this setting applies to ALL Input/Holding registers so can be awkward if you have registers using mixed formats in the same PLC.

The dissector does not generate synthesised data such as the "programmers" address by converting a "Read Holding Registers" with starting address 0x0000 into 40001 as with all the possible 1-based and 0-based confusion, along with the other formats such as Koyo, doing so might mislead "programmers", so it's felt best to stick with the actual protocol values.

Edit

It's actually a little worse than I remembered, the Modbus protocol does not include the starting address in the response from the PLC, so a strict dissection of the response can't show the register address but the dissector "remembers" the address in the request (which shares the transaction identifier with the response) and uses that to display the register values in the response.

answered 13 Feb '17, 05:00

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 13 Feb '17, 09:05

Thanks for your Answer.
I got it.
I didn't know Modbus protocol does not include the starting address.
usually I show like absolutely address, because include query(have starting address) and response that linking automatically by wireshark.
Regards.

(13 Feb '17, 16:49) Rockman29