Ask Your Question

Revision history [back]

The Wireshark dissector for Modbus will attempt to match up requests and responses using the Transaction ID (mbtcp.trans_id) in the header and then calculate the response time for you (modbus.response_time).

You can add both these values as columns (and any other dissected value) by right-clicking the value in the packet details pane and choosing "Apply as column".

If you want to export this elsewhere for analysis, then using tshark might help as it can output csv directly using the T fields -e <field name> -e <another field name> options, e.g.

tshark -r mycapturefile.pcapng -Y -T fields "-Eheader=y" "-Eseparator=," -e frame.number -e mbtcp.trans_id -e modbus.response_time

This gives an output like (for a capture with a single request and response):


You can add more -e <field name> options as required, the name of the field is displayed in the status bar at the bottom of Wireshark when the field is selected in the packet details pane.