Ask Your Question
0

How can I verify if a Modbus TCP connection is being properly closed?

asked 2023-08-02 23:18:50 +0000

frank66 gravatar image

We are troubleshooting a possible problem where a Modbus TCP client is supposedly not closing Modbus TCP connections with the Modbus Master, and after a while the Modbus master rejects any further attemps for TCP connections. The thing is, that we do not know which TCP client might be the culprit.

What would be the proper way to capture and filter TCP flows between two hostos to verify if the Modbus TCP connections are being properly closed (and thus not left "hanging" using up resources)? Not sure if this can be done with the "conversation" feature or some other way?

Tank you in advance for any advice you can provide.

edit retag flag offensive close merge delete

Comments

Chuck, thank you for the input, very useful indeed.

The TCP completness analysis has allowed us to identify a device in our network that is generating a lot of incomplete TCP connections that I think are causing this problem. I might add that the troublesome device is a Teltonika 4G router that is reading Modbus TCP holding registers and is generating a lot of incomplete TCP connections that can be filtered with the ´tcp.completeness==30´ view filter that basically shows you anytime a TCP connection is not properly closed or completed. Additional info about this can be found here: https://www.qacafe.com/resources/abou...

When we use a Node-Red simulator with the exact same Modbus poll sent by the router, we see no failures, so I think we have found the problem. Thank you Wireshark.

frank66 gravatar imagefrank66 ( 2023-08-03 02:30:39 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2023-08-03 00:34:20 +0000

Chuckc gravatar image

Can you do it with TCP Conversation Completeness?
See 7.5. TCP Analysis in the WSUG (Wireshark User’s Guide).

edit flag offensive delete link more

Comments

Chuck, thank you for the input, very useful indeed.

The TCP completness analysis has allowed us to identify a device in our network that is generating a lot of incomplete TCP connections that I think are causing this problem. I might add that the troublesome device is a Teltonika 4G router that is reading Modbus TCP holding registers and is generating a lot of incomplete TCP connections that can be filtered with the ´tcp.completeness==30´ view filter that basically shows you anytime a TCP connection is not properly closed or completed.

Additional info about this type of analysis can be found here (very straight-forward and easy to understand): [https://www.qacafe.com/resources/abou...]

When we use a Node-Red simulator with the exact same Modbus poll sent by the router, we see no failures, so I think we have found the problem. Thank you Wireshark.

frank66 gravatar imagefrank66 ( 2023-08-03 02:33:55 +0000 )edit

30 is an even number and if there is a SYN then completeness should be odd.
You might want to try a development build which would include 10686: TCP: Conversation Completeness wrong value for some protocols

Chuckc gravatar imageChuckc ( 2023-08-03 03:16:45 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-08-02 23:18:50 +0000

Seen: 494 times

Last updated: Aug 03 '23