Modbus UDP versus TCP

asked 2026-01-30 11:31:24 +0000

FrankF gravatar image

When using Wireshark to capture Modbus TCP packets, it will detect and display if one TCP packet contains more than one query. This is correct according to the Modbus TCP specification, where the transaction ID in the header is used to identify each query.

But when using UDP instead of TCP, then Wireshark does not show if there are more than one Query in the packet. In the packet data, I can see that there are several queries, but Wireshark does not display this, as it does for the Modbus TCP.

Is this something that can be fixed in Wireshark?

edit retag flag offensive close merge delete

Comments

Can you provide a sample capture with multiple queries in a UDP frame?
Any links to a standard or RFC that support this?

epan/dissectors/packet-mbtcp.c:

dissect_mbudp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
{
    if (!is_mbtcp(tvb, pinfo))
        return 0;

    /* Make entries in Protocol column on summary display */
    col_set_str(pinfo->cinfo, COL_PROTOCOL, "Modbus/UDP");
    col_clear(pinfo->cinfo, COL_INFO);

    return dissect_mbtcp_pdu_common(tvb, pinfo, tree, proto_mbudp, global_mbus_udp_ports);
}

Looks like the code just does the first PDU for UDP.

Chuckc gravatar imageChuckc ( 2026-01-30 16:17:27 +0000 )edit

I tried to copy capture file in here, but looks like I need more points to do that. I can copy the bytes from the message here, if that helps.

The format follows the Modbus Messaging on TCP/IP Implementation Guide V1.0b from october 2006, chapter 4.2.1.1, and rule number 4. It uses the transaction identifier to relate queries and responses.

Here is the hex dump of the bytes from the UDP request containing the 4 queries in one UDP telegram. The transaction identifiers are 0,1,2 and 3, to identify each query. I have marked each transaction identifier in bold.

0000 00 a0 1d 2c b7 98 00 a0 1d 13 b0 1f 08 00 45 00 0010 00 4c b8 50 40 00 40 11 f6 f4 c0 a8 85 09 c0 a8 0020 85 01 da ce 01 f6 00 38 91 ...(more)

FrankF gravatar imageFrankF ( 2026-02-02 13:56:34 +0000 )edit

(The comment above had reached max comment size so reposting as two comments)

I tried to copy capture file in here, but looks like I need more points to do that. I can copy the bytes from the message here, if that helps.

The format follows the Modbus Messaging on TCP/IP Implementation Guide V1.0b from october 2006, chapter 4.2.1.1, and rule number 4. It uses the transaction identifier to relate queries and responses.

Here is the hex dump of the bytes from the UDP request containing the 4 queries in one UDP telegram. The transaction identifiers are 0,1,2 and 3, to identify each query. I have marked each transaction identifier in bold.

0000   00 a0 1d 2c b7 98 00 a0 1d 13 b0 1f 08 00 45 00
0010   00 4c b8 50 40 00 40 11 f6 f4 c0 a8 85 ...
(more)
Chuckc gravatar imageChuckc ( 2026-02-02 14:57:02 +0000 )edit

(Repost second section. This hex dump may be truncated due to max comment size above?)

The response hex dump is also packed into one UDP telegram as follows, and I have marked the related transaction identifiers in bold also here.

0000   00 a0 1d 13 b0 1f 00 a0 1d 2c b7 98 08 00 45 00
0010   01 ea 00 00 40 00 40 11 ad a7 c0 a8 85 01 c0 a8
0020   85 09 01 f6 da ce 01 d6 d1 6c **00 00** 00 00 00 cb
0030   01 03 c8 00 00 00 00 00 00 00 00 00 00 00 00 00
0040   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060   00 00 00 00 00 00 00 ...
(more)
Chuckc gravatar imageChuckc ( 2026-02-02 14:58:35 +0000 )edit

I tried to copy capture file in here, but looks like I need more points to do that.


The capture file can be placed on a public file share then the question updated with a link to it.

Chuckc gravatar imageChuckc ( 2026-02-02 14:59:53 +0000 )edit
add a comment