Ask Your Question

How to capture modbus tcp traffic on a switch

asked 2018-05-01 22:14:52 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I currently have a new PLC installation that has some Modbus communications going on over TCP/IP. All the equipment is connected to an Allen Bradley Stratix 2000 switch. According to the documentation this switch is an unmanaged switch. I connect my laptop to an open port and set an IP that is local with all the other devices. I have ran a couple of captures but there is no Modbus traffic showing up. Am I doing something wrong?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2018-05-02 01:26:35 +0000

Guy Harris gravatar image

If you're capturing on a switched network, you won't, by default, see traffic on the network except for broadcast and possibly multicast traffic, and unicast traffic to and from the machine doing the capturing; you won't see unicast traffic going between other machines plugged into the switch. See the "switched Ethernet" section of the Wireshark Wiki page on capture setup on Ethernet for details.

As that page indicates, there are ways to see all the traffic, but not all of them may work with your switch.

The manual for the Stratix Managed Switches uses the term "port mirroring" for the "send a copy of switch traffic to a particular port" feature.

The manual for the Stratix 2000 Unmanaged Switches doesn't mention that term, so it presumably does not implement that feature.

Unfortunately, this means that the "Capture using a monitor mode of the switch" instructions won't work, so you might not be able to capture traffic between the other equipment plugged into the switch.

edit flag offensive delete link more



And if the unmanaged switch doesn't support mirroring, you'll need to insert a tap or a switch that does span or mirror into one of the segments carrying the Modbus traffic.

grahamb gravatar imagegrahamb ( 2018-05-02 08:48:23 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2018-05-01 22:14:52 +0000

Seen: 3,149 times

Last updated: May 02 '18