This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Segment

0

Hello, I am using Modbus TCP to communicate between 2 computers. On one computer I am using a program call Ignition and on the other is a program that was created in VB6. Now communications mostly work but Ignition sometimes shows Unknown under Quality and sometimes it show good under quality. I found in wireshark that the first packet the Vb6 sends to Ignition is good but at the end of the packet there is a 00 which wireshark is saying is "A data segment used in reassembly of a low level protocol."

Ignition then Queries and when the VB6 responds it does not show it as a Modbus/TCP Protocol but just TCP. For some reason it reassembled the last byte of the first response onto the front end of the Modbus data of this response. As shown below:

0000 00 07 65 00 00 00 09 00 03 06 00 81 00 00 03 58
0010 00

Can anyone tell me why it thinks the second response need to be reassembled? Why the first responds last byte show as a TCP Segment data?

asked 16 Sep '13, 06:52

hban's gravatar image

hban
16114
accept rate: 0%

For some reason it reassembled the last byte of the first response onto the front end of the Modbus data of this response.
Can anyone tell me why it thinks the second response need to be reassembled? Why the first responds last byte show as a TCP Segment data?

I'm not sure if this is a problem related to Wireshark. It sounds like your program logic has a fault. Anyway, can you please post a capture file. We can then test what Wireshark shows and possibly are able to identify the problem.

You can post the capture file on google docs, dropbox or cloudshark.

Regards
Kurt

(16 Sep '13, 07:37) Kurt Knochner ♦

Which version of Wireshark?

Can you post the capture somewhere, e.g. Cloudshark or Google Drive and share a link to it here?

(16 Sep '13, 07:45) grahamb ♦

WireShark 1.10.2

Here is the Captured file: Cloudshark

(16 Sep '13, 08:08) hban

One Answer:

3

The Modbus slave implementation is adding an extra byte of 0x00 to the responses. As TCP is a stream protocol, the dissector reads the expected bytes from the packet for the response and then treats the extra byte as the first byte of a subsequent message and tries to reassemble it.

You'll need to fix the slave implementation.

answered 16 Sep '13, 08:40

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks, I was able to find the problem from what you suggested. Vb6 instead of creating a 15 byte array was creating a 16 byte array.

(16 Sep '13, 10:38) hban

@hban if an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(17 Sep '13, 03:48) grahamb ♦