Ask Your Question
0

Trying to figure out what modbus register addresses are being requested in a capture

asked 2017-12-26 16:17:42 +0000

eusjma gravatar image

updated 2017-12-27 14:26:00 +0000

grahamb gravatar image

I have a wireshark capture in which a modbus master is requesting register values from a slave. I don't know how to determine which holding register addresses are being asked for.

This is what I copied from the capture (one transaction):

Frame 6: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface 0
Ethernet II, Src: Vmware_bb:13:9d (00:50:56:bb:13:9d), Dst: Cisco_9f:f0:01 (00:00:0c:9f:f0:01)
Internet Protocol Version 4, Src: 10.11.112.203, Dst: 10.105.8.11
Transmission Control Protocol, Src Port: 55824, Dst Port: 502, Seq: 1, Ack: 1, Len: 12
Modbus/TCP
    Transaction Identifier: 32210
    Protocol Identifier: 0
    Length: 6
    Unit Identifier: 1
Modbus
    .000 0011 = Function Code: Read Holding Registers (3)
    Reference Number: 8416
    Word Count: 3

Thanks in advance for the help.

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
0

answered 2017-12-27 14:25:15 +0000

grahamb gravatar image

updated 2017-12-27 14:27:54 +0000

The Modbus dissector shows Modbus addresses as sent over the wire, these are always 0 based and the function code used indicates the I/O type.

Modbus requests indicate the starting bit number or register and the number of bits or registers to read. For write requests the Write Single Coil (5) and Write Single Register (6) commands obviously write a single bit\register, for the multiple equivalents a count of bits or registers is also sent. There is no direct representation of all the registers being accessed.

When dissecting Modbus requests, the dissector adds the filter modbus.reference_num for the starting reference, either a bit number for digitals, or a register for analogs and for multiple values adds the filter modbus.bit_cnt or modbus.word_cnt for the number of digitals or analogs respectively.

Using these values the range of registers read\written can be calculated. In your example 3 analog output registers starting at 8416 are being read, i.e 8416, 8417, 8418.

edit flag offensive delete link more

Comments

Thanks for the responses. This helps me out.

eusjma gravatar imageeusjma ( 2017-12-28 16:30:43 +0000 )edit

If an answer has solved your issue please accept it for the benefit of others with the same problem by clicking the checkmark icon next to the answer.

grahamb gravatar imagegrahamb ( 2017-12-29 17:35:38 +0000 )edit
0

answered 2017-12-26 17:31:00 +0000

Bob Jones gravatar image

It's usually best to post a trace file in a publicly available location with a sample of the packets you have questions about. Text copies do not always yield the same information that a real trace may provide.

In this case, the reference number is the register start range from the request:

Function Code: Read Holding Registers (3) Reference Number: 8416 Word Count: 3

Start at holding register 8416 and read three registers (Word Count).

Modbus is classically all over the map when it comes to register numbering - some start counting at 0, others at 1. Also some use related, but different, numbering:

Holding register: 8416 Register: 48416 or 408416 <-- where the leading 4 implies holding register

Here is a paper on addressing: https://cdn.selinc.com/assets/Literat...ModbusRegisterCB_20160523.pdf?v=20170217-161433

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-12-26 16:17:42 +0000

Seen: 414 times

Last updated: Dec 28 '17