This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract particular Register from series of Modbus packets

0

I am using Wireshark to analyze Modbus data exchanged between a device and my PC. When I use Modbus "MODICOM FLT" preference I can see the floating point parameter I need (i.e. Register 5523). It has value 1234.900635 in the image below. How can I export this parameter for many times to make a time plot?. alt text

asked 24 Feb '17, 12:23

bmain57's gravatar image

bmain57
0226
accept rate: 0%


One Answer:

1

This is probably better handled with tshark. If you want to export all register values, then you can use something like:

tshark -r modbusTrace.pcap -Y "modbus.reg32" -T fields -e modbus.reg32

However, if you only want the value for register 5523, then I think this is only possible if there are always a fixed number of modbus.reg32 values returned and Register 5523 is always the Nth one - in that case you can specify which occurrence of the field to display using a more targeted command, such as:

Windows: tshark.exe -r modbusTrace.pcap -Y "modbus.reg32" -o "gui.column.format:\"Register 5523\",\"%Cus:modbus.reg32:N\""

*nix: tshark -r modbusTrace.pcap -Y "modbus.reg32" -o 'gui.column.format:"Register 5523","%Cus:modbus.reg32:N"'

... where N is the occurrence of the field you're interested in.

(You can add other fields as well, such as Frame number, time, etc., if you like. Run "tshark -G column-formats" for additional help with that.)

If you redirect the output to a file, you should be able to import it into another program (such as your favorite spreadsheet program), so that you can plot the values.

answered 24 Feb '17, 13:52

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

I really appreciate the time you spend giving me such a detailed response. And it works great for listing the register numbers. What I want, however, is the value of the register (in the example above (register 5523 has the value 1234.900635). I am writing a more detailed response to your answer in my "answer" below since it allows images.

(25 Feb '17, 11:21) bmain57

I really appreciate your answer above! And it works great for listing the register numbers. When I use your first solution:

tshark -r modbusTrace.pcapng -Y "modbus.reg32" -T fields -e modbus.reg32 > test1.csv

I get all the register numbers. The image below shows a small piece of the test1.csv output file:

It is really interesting when I run your second solution, I get the vertical column of this table that that matches the number "N". So If I use N=20

tshark.exe -r modbusTrace.pcapng -Y "modbus.reg32" -o "gui.column.format:\"Register 5523\",\"%Cus:modbus.reg32:20\"" > test2.csv

I get just the 20th vertical column of the above table:

alt text

Now what I am really looking for is the value of a particular register, not the register number. For example, register 5523 has the value of 1234.900635

alt text

Is there a tshark command that will allow me to get that?

And I want to thank you so much for your previous response. Even though it didn't give me the exact parameter I wanted, I am learning more from your short comments that scouring manuals for hours.

(25 Feb '17, 11:24) bmain57
1

What version of Wireshark are you using? Also, maybe you could post a small capture file (even one with a single packet should suffice) so folks can see exactly which field it is that you're interested in and how best to retrieve it.

(27 Feb '17, 07:42) cmaynard ♦♦

I am using Wireshark 2.2.0 on Win7 64 bit. I would like to upload my trace file, how do I upload a file on this site? (Also, in my original question above do have an image of the Wireshark GUI which shows the register I am trying to get).

(27 Feb '17, 17:26) bmain57

You can share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.

Edit your question with a link to the file.

(28 Feb '17, 02:57) grahamb ♦
(28 Feb '17, 07:43) bmain57

OK, well with older versions of Wireshark (such as 1.12.13), you could do this:

tshark.exe -r modbusTrace.pcap -Y "modbus.register.modicon_float" -o mbtcp.mbus_register_format:"MODICON FLT" -o gui.column.format:"Register 5523","%Cus:modbus.register.modicon_float:N"

I don't know how to achieve this same thing using newer versions of Wireshark, such as the version you're using. It seems that you can now only display the modbus.reg32 value. This looks like a bug to me.

(28 Feb '17, 08:32) cmaynard ♦♦

I installed Wireshark 1.12.13 and ran the command you suggested, however I get the error message: tshark: Invalid -o flag "mbtcp.mbus_register_format:"

(01 Mar '17, 11:18) bmain57

I just tried the command again and it worked. Can you post your entire command?

(01 Mar '17, 11:43) cmaynard ♦♦

tshark.exe -r modbusTrace.pcapng -Y "modbus.register.modicon_float" -o mbtcp.mbus_register_format: "MODICON FLT" -o gui.column.format: "Register 5523","%Cus:modbus.register.modicon_float:143" > test5.csv

(01 Mar '17, 12:13) bmain57

mbtcp.mbus_register_format: "MODICON FLT"

You have a space between the colon and the quote character. Try again with no space.

(01 Mar '17, 12:16) cmaynard ♦♦

Here is the Command Line capture of the error:

C:\Users\bmain\Documents\Ansel\SSMM\PWM_SporaticError>tshark.exe -r modbusTrace. pcapng -Y "modbus.register.modicon_float" -o mbtcp.mbus_register_format: "MODICO N FLT" -o gui.column.format: "Register 5523","%Cus:modbus.register.modicon_float :143" > test5.csv

(tshark.exe:17620): WARNING : No such preference "modbus.mbus_register_form at" at line 3131 of C:\Users\bmain\AppData\Roaming\Wireshark\preferences (save preferences to remove this warning) tshark: Invalid -o flag "mbtcp.mbus_register_format:"

(01 Mar '17, 12:18) bmain57
1

mbtcp.mbus_register_format: "MODICO N FLT"

Once again, you have a space between the colon and quote. Try removing it. And you seem to have added a space where it doesn't belong. It's not "MODICO N FLT" but "MODICON FLT".

(01 Mar '17, 12:22) cmaynard ♦♦
1

Since you seem to be having trouble with that command-line option, you can omit it if you've already set the preference in Wireshark. I merely added it to the command-line so it would always override whatever setting you might have had in Wireshark.

(01 Mar '17, 12:43) cmaynard ♦♦

I fixed my spacing but now get a new error:

C:\Users\bmain\Documents\Ansel\SSMM\PWM_SporaticError>tshark.exe -r modbusTrace. pcapng -Y "modbus.register.modicon_float" -o mbtcp.mbus_register_format:"MODICON FLT" -o gui.column.format:"Register 5523","%Cus:modbus.register.modicon_float:1 43" > test5.csv

(tshark.exe:13608): WARNING : No such preference "modbus.mbus_register_form at" at line 3131 of C:\Users\bmain\AppData\Roaming\Wireshark\preferences (save preferences to remove this warning)

C:\Users\bmain\Documents\Ansel\SSMM\PWM_SporaticError>

Line 3131 is the last line of the sequence below.

Register Format

One of: UINT16 , INT16 , UINT32 , INT32 , IEEE FLT , MODICON FLT

(case-insensitive).

modbus.mbus_register_format: MODICON FLT

I also noticed that my preference file header says version 2.2.0 even though I uninstalled that version and installed 1.12.13 as you suggested earlier.

(01 Mar '17, 14:55) bmain57

Try again line 3131 of preferences:

Register Format One of: UINT16 , INT16 , UINT32 , INT32 , IEEE FLT , MODICON FLT (case-insensitive). modbus.mbus_register_format: MODICON FLT

In my previous post I forgot to strip off the pound signs from the pref file test

(01 Mar '17, 14:58) bmain57

Register Format

One of: UINT16 , INT16 , UINT32 , INT32 , IEEE FLT , MODICON FLT

(case-insensitive).

modbus.mbus_register_format: MODICON FLT

(01 Mar '17, 15:00) bmain57

Can you upload your AppData\Roaming\Wireshark\preferences file for me if this is the issue?

(01 Mar '17, 15:05) bmain57
1

So tshark is just warning you of an unknown preference, namely modbus.mbus_register_form. It's just a warning though. Did you look at the contents of your test5.csv file? It should contain the information you're after.

If you want to eliminate the warning, you can do as instructed and save your preferences file from Wireshark. When you do that, Wireshark should remove all unknown preferences. Another option is to simply rename your preferences file (e.g., preferences-2.2.0) and the next time you run the tshark command, tshark will use default preferences except for any you specify on the command-line.

Ideally this could be solved using Wireshark 2.2.x though. Perhaps it can be and I'm just missing something myself, but if it can't be, then a bug report should be opened because this seems like a regression to me. You shouldn't have to downgrade Wireshark to solve this problem. Wireshark bugs can be filed at https://bugs.wireshark.org/bugzilla/.

(01 Mar '17, 15:31) cmaynard ♦♦

Yes, test5.csv does have the data!! Thanks for your patience in solving this issue. I am so relieved. I have requested a bugzilla login so I can submit the bug. By the way, while I am waiting for the fix, can I run two different versions of Wireshark on the same win7 computer? It seems like multiple versions will share the same preferences file and thus lead to some confusion (like the warning I was getting earlier).

(01 Mar '17, 16:36) bmain57
1

can I run two different versions of Wireshark on the same win7 computer?

It should be possible, although only one of them can be associated with .pcap files though, and only one of them will take precedence if the installation directory is added to the %PATH%. But try installing the 2 versions in different locations to find out.

Alternatively ...

  • you could install the PortableApps version of one of them on a USB flash drive and run it from there instead of installing it on your PC.
  • you could compile each version yourself and run it from your build directory instead of installing it, per se.
  • In the old days, I believe a zip file was available and you could just unzip it and run it from the unzip folder, again without installing it, per se. I don't know if that's still possible, but it doesn't look like zips are available anymore, which is too bad. Perhaps another bug report asking for zips to be created and made available on the download site could be opened too.
(02 Mar '17, 07:07) cmaynard ♦♦
showing 5 of 21 show 16 more comments