Hi! This may be a dumb question, but I am wondering if there is a way for me to filter (capture filter, not display filter) out protocols, specifically just to "Modbus/TCP".
Entering Modbus, modbus, Modbus/tcp, and modbus/tcp does not work.
Is it using the default port of 502? (Decoding Modbus TCP on different port number)
If so then capture filter of port 502 should work.
Thank you for the quick reply chuckc!
I originally filtered (for the capture filter) port 502. He said it may not always be port 502, so I have to find a way to just filter by protocols (if it is, at all possible).
Thank you again!
That's exactly what I assumed, but I wanted to be 100% sure before I provide the information to my boss.
Thank you for your help! I will let him know, that I can run port ranges and work from there if anything.
As Modbus traffic isn't very distinctive, there is no heuristic setting to allow automatic dissection on unusual ports, hence you have to manually set dissection ports using "Decode As ...".
Unless traffic is dissected as Modbus, the display filters you've listed won't work. Bit of a chicken and egg situation.
Well noted! I looked at the last link chuckc provided (Decoding Modbus TCP on different port number). I figured that I will have to set it to "Decode As ..." for it to be displayed as that.
Thank you for the heads up on Display filters!
Asked: 2023-07-12 14:41:26 +0000
Seen: 762 times
Last updated: Jul 12 '23
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
