Response times = delta times after reordering (sorting) the row values.

Does anyone know how to display delta times between packets (line after line) BUT even after ordering rows by some column (so the delta times will be updated after the reorder)?

I'm doing some testing with multiple Modbus TCP/IP connections and I'm interested in response times I'm getting from some devices. I see and can identify those responses in Wireshark but I cannot clearly see the response times. What I'm doing is ordering packets by tcp.stream and timetamps to have a clear view of every request -> response entries. So stream by stream (device by device), one line is a request, another one is a response (and so on). The problem is when you use ordering, Delta Time displayed nor Delta Time will show the actual delta time between response/request as ordering by stream won't update those delta time values. Without ordering though, my current delta times are incorrect as I have multiple Modbus devices so request/response packets are mixed because all those devices are communicating at the same time. That's why I have to order rows by tcp.stream.

I've found TCPextend lua file which adds another delta column but this one shows "time since the previous packet was transmitted from the same source" so now I see "request+response" times while I only care about response times. I know I can use, for example, Excel for this but I would really want to have it working in Wireshark.

Thanks for any help!

edit retag close merge delete

So is what you really want the time between a Modbus request and the reply to that request, and the Modbus dissector isn't displaying that, so you're using the delta time column for that, instead?

( 2019-02-16 21:27:43 +0000 )edit

Yes, correct.

( 2019-02-17 20:12:07 +0000 )edit

Sort by » oldest newest most voted

OK, I've just checked in a change to, for Modbus reply packets, giving the time difference between the matching request and the reply. It shows up right after the frame number of the packet containing the matching request; the field name is "modbus.response_time", and you can make it a custom column so it shows up as a column.

It will be available in Wireshark 3.0; if you want to experiment with it, you can go to the "Go Spelunking" section of the Wireshark download page, select one of the download sites (3 in Europe, 2 in Asia, 3 in the US), go to "automated", and select:

• win32 for 32-bit Windows;
• win64 for 64-bit Windows;
• osx for macOS;
• src for the source code, which you'll need to compile for other platforms (Linux, *BSD, Solaris, etc.).

Pick one of the "wireshark-3.0.0rc1" files - choose the newest one. These are "release candidate" builds, and may have issues (the first announced release candidate had some macOS issues that needed to be fixed, for example). Report any problems on the Wireshark Bugzilla.

If the request/response time information there solves the underlying problem you're trying to solve, let us know.

more

That's amazing. Thank you Guy, that will be really helpful. I did a check of your change with some random modbus pcap and it seems it's doing the job. I'll do some real testing tomorrow with our data.

( 2019-02-17 20:26:16 +0000 )edit

Your description is a little confusing. Have you tried filtering by tcp stream, tcp.stream eq xxx where xxx is the stream number of interest, and then ordering by frame No. (the default) and adding a column for the time delta from previous displayed frame? The filter will restrict the display to a particular device (assuming one stream per device), and then the delta between displayed frames should be correct.

more

Thanks. It is a solution, you're correct. However it's not that handy with larger number of devices (=streams) you want to check.

( 2019-02-17 20:27:22 +0000 )edit

In that case I would use tshark, the command line version of Wireshark and automate via some scripting.

( 2019-02-18 09:54:55 +0000 )edit

It's not in Wireshark, but I think you are trying to do the same thing as here?

I don't think Wireshark has any built in tool to analyse Modbus in this way.

more

Thanks. Yes, I know that it would be very easy with other tool. I don't work too much with networking so sticking to freeware Wireshark would be the best option for me.

( 2019-02-17 20:28:54 +0000 )edit