remove modbus packets/filter modbus

asked 2020-05-01 17:22:17 +0000

salwa1215 gravatar image

I want to remove the mobus packets from my pcap file and save the results in a file. I used this command

not (modbus or mbtcp)

and save the dispay packets but the results file still contains some modbus packets

edit retag flag offensive close merge delete

Comments

Save the display packets, how?

Jaap gravatar imageJaap ( 2020-05-01 20:39:27 +0000 )edit

File -> export specify packets and export eitheir dispayed packet or marked parckets (after doing ctrl shift m to mark the packets)

salwa1215 gravatar imagesalwa1215 ( 2020-05-01 21:49:16 +0000 )edit

Do the packets not being excluded match some of these other protocol names?

$ ./tshark -G protocols | grep -i modb
CIP Modbus Object       CIPMB   cipmb
Modbus  Modbus  modbus
Modbus RTU      Modbus RTU      mbrtu
Modbus/TCP      Modbus/TCP      mbtcp
Modbus/UDP      Modbus/UDP      mbudp
Chuckc gravatar imageChuckc ( 2020-05-01 22:30:41 +0000 )edit

The packets that I want exclude are the modbus/tcp packets

salwa1215 gravatar imagesalwa1215 ( 2020-05-01 22:45:09 +0000 )edit

What version of Wireshark?
Are they large modbus packets that might span TCP segments?

Chuckc gravatar imageChuckc ( 2020-05-01 23:06:52 +0000 )edit

The file is big but packets I dont know. My wireshark version is : 3.2.1

salwa1215 gravatar imagesalwa1215 ( 2020-05-01 23:22:05 +0000 )edit

Perhaps a different tact: exclude on the tcp port?

 not tcp.port==502
Bob Jones gravatar imageBob Jones ( 2020-05-02 00:06:26 +0000 )edit

Oh i did think to that. Maybe it will work. I will test it tomorrow and give you a feedback. Thanks

salwa1215 gravatar imagesalwa1215 ( 2020-05-02 00:51:59 +0000 )edit

not tcp.port==502 does not work. It remove also all tcp packets

salwa1215 gravatar imagesalwa1215 ( 2020-05-02 18:48:35 +0000 )edit
see more comments