 | 1 | initial version |
The capture filter seems to be equivalent to the Wireshark display filter s7comm.param.item.db == 815 and s7comm.param.func == 0x05, which can't be used for capture filters as BPF syntax doesn't know about S7 over COTP over TPKT over TCP.
As you're using offsets from the start of TCP the accuracy of the filters depends on the consistency of the size of the TCP headers and the other layers, i.e. TPKT and COTP, I suspect there's something slightly different in the headers on the outgoing traffic that messes up the offsets.
By examination of the outgoing packets from an unfiltered capture you might be able to determine the different offsets required.
