Ask Your Question
0

Modbus TCP response timing

asked 2022-01-21 16:01:00 +0000

Hello,

I'm new to Wireshark and have read some documentation, but have a hard time putting things together.

We recorded thousands of ModbusTCP frames between devices and would like to perform a timing analysis based on the transaction ID. I see that I can filter based on transaction ID using "mbtcp.trans_id" I could also filter based on source and destination IP. What I have a hard time to figure out is how could I put everything together in order to have stats for all the queries/response in order to figure out their timing, if there are any outstanding transaction or other issues.

We have a connection reset problem every few days between the devices and have a hard time figuring out the issue.

This questions partially answers a possible error, but it looks like they search for in flight queries by hand, could anyone help me with some clues about how to do that using the filters ?

https://osqa-ask.wireshark.org/questi...

Best regards

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-01-21 18:08:27 +0000

grahamb gravatar image

The Wireshark dissector for Modbus will attempt to match up requests and responses using the Transaction ID (mbtcp.trans_id) in the header and then calculate the response time for you (modbus.response_time).

You can add both these values as columns (and any other dissected value) by right-clicking the value in the packet details pane and choosing "Apply as column".

If you want to export this elsewhere for analysis, then using tshark might help as it can output csv directly using the T fields -e <field name> -e <another field name> options, e.g.

tshark -r mycapturefile.pcapng -Y -T fields "-Eheader=y" "-Eseparator=," -e frame.number -e mbtcp.trans_id -e modbus.response_time

This gives an output like (for a capture with a single request and response):

frame.number,mbtcp.trans_id,modbus.response_time
1,136,
2,136,0.205042000

You can add more -e <field name> options as required, the name of the field is displayed in the status bar at the bottom of Wireshark when the field is selected in the packet details pane.

edit flag offensive delete link more

Comments

Thanks a lot for your answer. I was able to add that column and export the whole like of packets to a CSV file. I was then able to check the number of in-flight (unanswered) queries over time, check the longest, check if any were unanswered, payload data lenghts...

We haven't found any issue in the ModbusTCP exchanges, all exchanges are conform between the client and the server, so the issue may lay somewhere else.

I's update your answer but I'm new to this forum and cannot upvote until I reach 15 points. Thanks again though.

boumboauto gravatar imageboumboauto ( 2022-01-23 10:16:53 +0000 )edit

Np. simply accept the answer as solving (or helping to solve) your issue by clicking the checkmark icon to the left of the answer. This helps other users know what helped with your issue,

grahamb gravatar imagegrahamb ( 2022-01-24 08:40:51 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-01-21 16:01:00 +0000

Seen: 128 times

Last updated: Jan 21