Ask Your Question

Is there a simple way to plot the values within a packet vs. Time

asked 2020-11-11 15:16:35 +0000

blue_steel gravatar image

Hello, I'm just looking for a simple way to plot the data within the captured packets vs. time.

Is there a way to export modus packets with the associated timestamp?


edit retag flag offensive close merge delete


Modus? Do you mean Modbus? If so what fields do you want?

grahamb gravatar imagegrahamb ( 2020-11-11 15:21:29 +0000 )edit

Yes, sorry, Modbus.

I just want the last value in the query response which is a register value on the slave device.

blue_steel gravatar imageblue_steel ( 2020-11-11 15:50:18 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-11-11 16:50:29 +0000

grahamb gravatar image

The issue with Wireshark dissection of register values is that they are output as multiple occurrences of the same field so unless the response only has one register in it you will get multiple values, one per register.

Using a tshark command line to output the frame time along with the register number and the int16 value (the value type depends on the modbus dissector preferences) gives:

tshark -r E:\caps\modbus-input-register-read.pcapng -T fields -e frame.time -e modbus.regnum16 -e modbus.regval_int16
Oct  6, 2015 11:27:49.223301000 GMT Summer Time
Oct  6, 2015 11:27:49.428343000 GMT Summer Time 341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432      0,0,16282,-7864,0,0,1,0,16282,-7864,16282,-7864,16282,-7864,0,0,0,0,0,0,0,0,0,0,0,16282,-7864,0,0,1,0,16282,-7864,16282,-7864,16282,-7864,0,0,0,0,0,0,0,0,0,0,0,16253,28835,0,0,1,0,16253,28835,16253,28835,16253,28835,0,0,0,0,0,0,0,0,0,0,0,14367,-29712,0,73,30090,192,73,30090,192,15525,13455,192,15525,13455,192,17575,10510,192,17575,10510,192

On this case the first packet is the request so no registers (a display filter could be used to eliminate that) and then the second packet is the response and you can see that the register numbers are displayed first and then the register values.

This could be post-processed using a scripting language of your choice to get at what you want.

If you truly only want the last register value in the response then you could use the -E occurrence=l flag to only show the last occurrence of a field in the packet, using the same capture (with some additional-E formatting specifiers to give headings and use a comma to separate fields this results in:

tshark -r E:\caps\modbus-input-register-read.pcapng -T fields -e frame.time -e modbus.regnum16 -e modbus.regval_int16 -E occurrence=l -E header=y -E separator=","
Oct  6, 2015 11:27:49.223301000 GMT Summer Time,,
Oct  6, 2015 11:27:49.428343000 GMT Summer Time,432,192
edit flag offensive delete link more


Yes, I see what you mean.

Luckily I'm just read/writing to single registers so it shouldn't need much post-processing.

But this is what I was looking for.


blue_steel gravatar imageblue_steel ( 2020-11-11 17:49:00 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-11-11 15:16:35 +0000

Seen: 33 times

Last updated: Nov 11