Ask Your Question
0

Response times = delta times after reordering (sorting) the row values.

asked 2019-02-16 12:38:43 +0000

pcm gravatar image

updated 2019-02-17 20:54:45 +0000

Does anyone know how to display delta times between packets (line after line) BUT even after ordering rows by some column (so the delta times will be updated after the reorder)?

I'm doing some testing with multiple Modbus TCP/IP connections and I'm interested in response times I'm getting from some devices. I see and can identify those responses in Wireshark but I cannot clearly see the response times. What I'm doing is ordering packets by tcp.stream and timetamps to have a clear view of every request -> response entries. So stream by stream (device by device), one line is a request, another one is a response (and so on). The problem is when you use ordering, Delta Time displayed nor Delta Time will show the actual delta time between response/request as ordering by stream won't update those delta time values. Without ordering though, my current delta times are incorrect as I have multiple Modbus devices so request/response packets are mixed because all those devices are communicating at the same time. That's why I have to order rows by tcp.stream.

I've found TCPextend lua file which adds another delta column but this one shows "time since the previous packet was transmitted from the same source" so now I see "request+response" times while I only care about response times. I know I can use, for example, Excel for this but I would really want to have it working in Wireshark.

Thanks for any help!

edit retag flag offensive close merge delete

Comments

So is what you really want the time between a Modbus request and the reply to that request, and the Modbus dissector isn't displaying that, so you're using the delta time column for that, instead?

Guy Harris gravatar imageGuy Harris ( 2019-02-16 21:27:43 +0000 )edit

Yes, correct.

pcm gravatar imagepcm ( 2019-02-17 20:12:07 +0000 )edit

3 Answers

Sort by ยป oldest newest most voted
1

answered 2019-02-17 04:18:01 +0000

Guy Harris gravatar image

OK, I've just checked in a change to, for Modbus reply packets, giving the time difference between the matching request and the reply. It shows up right after the frame number of the packet containing the matching request; the field name is "modbus.response_time", and you can make it a custom column so it shows up as a column.

It will be available in Wireshark 3.0; if you want to experiment with it, you can go to the "Go Spelunking" section of the Wireshark download page, select one of the download sites (3 in Europe, 2 in Asia, 3 in the US), go to "automated", and select:

  • win32 for 32-bit Windows;
  • win64 for 64-bit Windows;
  • osx for macOS;
  • src for the source code, which you'll need to compile for other platforms (Linux, *BSD, Solaris, etc.).

Pick one of the "wireshark-3.0.0rc1" files - choose the newest one. These are "release candidate" builds, and may have issues (the first announced release candidate had some macOS issues that needed to be fixed, for example). Report any problems on the Wireshark Bugzilla.

If the request/response time information there solves the underlying problem you're trying to solve, let us know.

edit flag offensive delete link more

Comments

That's amazing. Thank you Guy, that will be really helpful. I did a check of your change with some random modbus pcap and it seems it's doing the job. I'll do some real testing tomorrow with our data.

pcm gravatar imagepcm ( 2019-02-17 20:26:16 +0000 )edit
0

answered 2019-02-16 21:49:30 +0000

grahamb gravatar image

Your description is a little confusing. Have you tried filtering by tcp stream, tcp.stream eq xxx where xxx is the stream number of interest, and then ordering by frame No. (the default) and adding a column for the time delta from previous displayed frame? The filter will restrict the display to a particular device (assuming one stream per device), and then the delta between displayed frames should be correct.

edit flag offensive delete link more

Comments

Thanks. It is a solution, you're correct. However it's not that handy with larger number of devices (=streams) you want to check.

pcm gravatar imagepcm ( 2019-02-17 20:27:22 +0000 )edit

In that case I would use tshark, the command line version of Wireshark and automate via some scripting.

grahamb gravatar imagegrahamb ( 2019-02-18 09:54:55 +0000 )edit
0

answered 2019-02-16 17:49:32 +0000

Bob Jones gravatar image

It's not in Wireshark, but I think you are trying to do the same thing as here?

I don't think Wireshark has any built in tool to analyse Modbus in this way.

edit flag offensive delete link more

Comments

Thanks. Yes, I know that it would be very easy with other tool. I don't work too much with networking so sticking to freeware Wireshark would be the best option for me.

pcm gravatar imagepcm ( 2019-02-17 20:28:54 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-02-16 12:38:43 +0000

Seen: 1,086 times

Last updated: Feb 17 '19