| Bug ID |
12768
|
| Summary |
Modbus/UDP support
|
| Product |
Wireshark
|
| Version |
2.1.x (Experimental)
|
| Hardware |
All
|
| OS |
All
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
Dissection engine (libwireshark)
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Created attachment 14832 [details]
Crude patch for supporting UDP in the Modbus/TCP dissector
Build Information:
Version 2.1.1 (Git Rev Unknown from unknown)
Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 3.18.9, with Cairo 1.14.6, with Pango 1.38.1, with
libpcap, with POSIX capabilities (Linux), without libnl, with GLib 2.48.1, with
zlib 1.2.8, without SMI, with c-ares 1.10.0, with Lua 5.1, with GnuTLS 3.4.10,
with Gcrypt 1.6.5, without Kerberos, without GeoIP, without PortAudio, without
AirPcap.
Running on Linux 4.4.16-040416-generic, with locale LC_CTYPE=en_US.UTF-8,
LC_NUMERIC=C, LC_TIME=nl_NL.UTF-8, LC_COLLATE=en_US.UTF-8,
LC_MONETARY=nl_NL.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=nl_NL.UTF-8,
LC_NAME=nl_NL.UTF-8, LC_ADDRESS=nl_NL.UTF-8, LC_TELEPHONE=nl_NL.UTF-8,
LC_MEASUREMENT=nl_NL.UTF-8, LC_IDENTIFICATION=nl_NL.UTF-8, with libpcap version
1.7.4, with GnuTLS 3.4.10, with Gcrypt 1.6.5, with zlib 1.2.8.
Intel(R) Core(TM) i7-4578U CPU @ 3.00GHz (with SSE4.2)
Built using gcc 5.4.0 20160609.
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Now that ModbusRTU over UDP support has landed, I tried it with Modbus UDP and
found that it decodes it incorrectly. That's because Modbus UDP uses the same
protocol as Modbus TCP, not as Modbus RTU.
http://jamod.sourceforge.net/kbase/modbus_udp.html
http://www.simplymodbus.ca/TCP.htm
This can be reproduced easily using https://github.com/bashwork/pymodbus
1. In `examples/server/asynchronous-server.py` comment the line with TcpServer
line and uncomment the line with UdpServer.
2. Run the previous example (as root, since the port is 502).
3. Open a python shell and run:
from pymodbus.client.sync import *
l = ModbusUdpClient('localhost')
l.write_register(0, 1234)
Wireshark will not recognise this data by default, but if one sets the "Modbus
RTU Port" setting to 502, it will show a wrong dissection.
Full packet data:
000000000000000000000000080045000028236f4000401119547f0000017f000001acc001f60014fe270004000000060006000004d2
Modbus RTU:
Unit ID: 0
CRC-16: 0x04d2
data: 0004000000060006000004d2
Modbus:
Function Code: Read Input Registers (4)
Reference Number: 0
Word Count: 6
data: 040000000600060000
Now when I revert the "Modbus RTU Port" setting to 0 and modify the Wireshark
sourcecode to also allow UDP for the Modbus/TCP dissector (as per attached
patch), I see the following instead:
Full packet data:
000000000000000000000000080045000028b98c4000401183367f0000017f000001acc001f60014fe270005000000060006000004d2
Modbus/TCP:
Transaction Identifier: 5
Protocol Identifier: 0
Length: 6
Unit Identifier: 0
Modbus:
Function Code: Write Single Register (6)
Reference Number: 0
Data: 04d2
That's the actual request that was made, this dissection is correct.
I'm not much of a Wireshark developer to know whether this patch would be ready
for inclusion or not. It may even be nice to show "Modbus/UDP" as protocol
instead (so that it can be recognised as such easily in the packet listing).
In any case I hope that Wireshark will receive support for this protocol. Even
though it is not part of the official Modbus specification, it is being used
and has benefits to Modbus/TCP in certain cases.
You are receiving this mail because:
- You are watching all bug changes.
