 | 1 | initial version |
The issue with Wireshark dissection of register values is that they are output as multiple occurrences of the same field so unless the response only has one register in it you will get multiple values, one per register.
Using a tshark command line to output the frame time along with the register number and the int16 value (the value type depends on the modbus dissector preferences) gives:
tshark -r E:\caps\modbus-input-register-read.pcapng -T fields -e frame.time -e modbus.regnum16 -e modbus.regval_int16
Oct 6, 2015 11:27:49.223301000 GMT Summer Time
Oct 6, 2015 11:27:49.428343000 GMT Summer Time 341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432 0,0,16282,-7864,0,0,1,0,16282,-7864,16282,-7864,16282,-7864,0,0,0,0,0,0,0,0,0,0,0,16282,-7864,0,0,1,0,16282,-7864,16282,-7864,16282,-7864,0,0,0,0,0,0,0,0,0,0,0,16253,28835,0,0,1,0,16253,28835,16253,28835,16253,28835,0,0,0,0,0,0,0,0,0,0,0,14367,-29712,0,73,30090,192,73,30090,192,15525,13455,192,15525,13455,192,17575,10510,192,17575,10510,192
On this case the first packet is the request so no registers (a display filter could be used to eliminate that) and then the second packet is the response and you can see that the register numbers are displayed first and then the register values.
This could be post-processed using a scripting language of your choice to get at what you want.
If you truly only want the last register value in the response then you could use the -E occurrence=l flag to only show the last occurrence of a field in the packet, using the same capture (with some additional-E formatting specifiers to give headings and use a comma to separate fields this results in:
tshark -r E:\caps\modbus-input-register-read.pcapng -T fields -e frame.time -e modbus.regnum16 -e modbus.regval_int16 -E occurrence=l -E header=y -E separator=","
frame.time,modbus.regnum16,modbus.regval_int16
Oct 6, 2015 11:27:49.223301000 GMT Summer Time,,
Oct 6, 2015 11:27:49.428343000 GMT Summer Time,432,192
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.