remove modbus packets/filter modbus

asked 2020-05-01 17:22:17 +0000

salwa1215 gravatar image

I want to remove the mobus packets from my pcap file and save the results in a file. I used this command

not (modbus or mbtcp)

and save the dispay packets but the results file still contains some modbus packets

edit retag flag offensive close merge delete

Comments

Save the display packets, how?

Jaap gravatar imageJaap ( 2020-05-01 20:39:27 +0000 )edit

File -> export specify packets and export eitheir dispayed packet or marked parckets (after doing ctrl shift m to mark the packets)

salwa1215 gravatar imagesalwa1215 ( 2020-05-01 21:49:16 +0000 )edit

Do the packets not being excluded match some of these other protocol names?

$ ./tshark -G protocols | grep -i modb
CIP Modbus Object       CIPMB   cipmb
Modbus  Modbus  modbus
Modbus RTU      Modbus RTU      mbrtu
Modbus/TCP      Modbus/TCP      mbtcp
Modbus/UDP      Modbus/UDP      mbudp
Chuckc gravatar imageChuckc ( 2020-05-01 22:30:41 +0000 )edit

The packets that I want exclude are the modbus/tcp packets

salwa1215 gravatar imagesalwa1215 ( 2020-05-01 22:45:09 +0000 )edit

What version of Wireshark?
Are they large modbus packets that might span TCP segments?

Chuckc gravatar imageChuckc ( 2020-05-01 23:06:52 +0000 )edit
see more comments