This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MODBUS/UDP Support

1

One of our vendors implemented MODBUS/UDP in a system they delivered to us. We commonly use Wireshark to troubleshoot issues. However, I am now stuck using an old version of Wireshark because new versions no longer support MODBUS/UDP since it's not an actual standard. I've found 1.6.4 Portable can still dissect the MODBUS packets (and filter by MODBUS values), but it hangs sometimes when saving files. I know 1.10.0 on up will not dissect the MODBUS from UDP. The bug pages suggest using "Decode As..." but it's not even an option when I go to "Decode As..." anymore.

So, I have a couple questions: 1. What is the last version of Wireshark that could still dissect MODBUS/UDP? 2. Is there a work-around or some way to get a newer version to dissect MODBUS from within UDP?

Thank You.

asked 07 May '14, 13:07

Trashman's gravatar image

Trashman
16448
accept rate: 0%

edited 07 May '14, 13:09

Update: Checked the last "old stable" version 1.8.14 (portable version). It dissects the MODBUS inside UDP, and it can also filter (though the filter syntax changed).

(07 May '14, 13:55) Trashman

In case anyone asks, I've tried 1.10.0, 1.10.1, 1.10.5, and 1.10.7 both 64-bit full installs and 32-bit portable versions - none of them were able to dissect MODBUS from UDP. It appears I've answered question 1 myself, 1.8.14 supports it and appears to work well. I know it's always best to use the latest software, however, so I'd like to be able to use 1.10.x and future versions if anyone knows of a workaround.

(07 May '14, 14:02) Trashman

One Answer:

1

As you may have seen, it looks like Wireshark MODBUS/UDP support was added and then removed some time later two times. (I didn't dig further to determine the exact Wireshark versions which included the support).

As you've noted, there's no support for MODBUS/UDP or MODBUS "decode as" over UDP in the current Wireshark 1.10 & newer. I believe the bug comment you saw meant only that "decode as" to support MODBUS/UDP could be implemented if needed.

So: there's no workaround to dissect MODBUS/UDP with the current Wireshark.

If you like, you can submit an "enhancement request" at bugs.wireshark.org making the case to again add MODBUS/UDP support to Wireshark.

answered 07 May '14, 20:41

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Hello, I have the same problem. We use Modbus UDP. I also use the old portable Version to make analysis from our Network, because the new Version doesn´t support Modbus UDP. Why is it not supported now ? Is it planned to support it again in the next version ?

(27 May '14, 01:46) Genesis

See the answer provided by @Bill Meier above.

(27 May '14, 02:06) grahamb ♦