Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2026-01-30 11:31:24 +0000

FrankF gravatar image

Modbus UDP versus TCP

When using Wireshark to capture Modbus TCP packets, it will detect and display if one TCP packet contains more than one query. This is correct according to the Modbus TCP specification, where the transaction ID in the header is used to identify each query.

But when using UDP instead of TCP, then Wireshark does not show if there are more than one Query in the packet. In the packet data, I can see that there are several queries, but Wireshark does not display this, as it does for the Modbus TCP.

Is this something that can be fixed in Wireshark?

Modbus UDP versus TCP

When using Wireshark to capture Modbus TCP packets, it will detect and display if one TCP packet contains more than one query. This is correct according to the Modbus TCP specification, where the transaction ID in the header is used to identify each query.

But when using UDP instead of TCP, then Wireshark does not show if there are more than one Query in the packet. In the packet data, I can see that there are several queries, but Wireshark does not display this, as it does for the Modbus TCP.

Is this something that can be fixed in Wireshark?

Here is a link to a wireshark log file, using modbus UDP.

[link text (https://github.com/fugledal/wireshark/blob/main/IPm8460_to_IPm6350_RapidFire_Modbus_TCP.pcapng)

Here is a link to a wireshark log file, using modbus TCP

[link text] (https://github.com/fugledal/wireshark/blob/main/IPm8460_to_IPm6350_RapidFire_Modbus_TCP.pcapng)

Here is a link to the part of the modbus TCP implementation guide, with rule nr. 4 describing how this works.

[link text] (https://github.com/fugledal/wireshark/blob/main/Modbus%20Rapidfire%20.jpg)

click to hide/show revision 3
None

updated 2026-02-04 20:22:44 +0000

Chuckc gravatar image

Modbus UDP versus TCP

When using Wireshark to capture Modbus TCP packets, it will detect and display if one TCP packet contains more than one query. This is correct according to the Modbus TCP specification, where the transaction ID in the header is used to identify each query.

But when using UDP instead of TCP, then Wireshark does not show if there are more than one Query in the packet. In the packet data, I can see that there are several queries, but Wireshark does not display this, as it does for the Modbus TCP.

Is this something that can be fixed in Wireshark?

Here is a link to a wireshark log file, using modbus UDP.

[link text (https://github.com/fugledal/wireshark/blob/main/IPm8460_to_IPm6350_RapidFire_Modbus_TCP.pcapng)IPm8460_to_IPm6350_RapidFire_Modbus_UDP.pcapng

Here is a link to a wireshark log file, using modbus TCP

[link text] (https://github.com/fugledal/wireshark/blob/main/IPm8460_to_IPm6350_RapidFire_Modbus_TCP.pcapng)IPm8460_to_IPm6350_RapidFire_Modbus_TCP.pcapng

Here is a link to the part of the modbus TCP implementation guide, with rule nr. 4 describing how this works.

[link text] (https://github.com/fugledal/wireshark/blob/main/Modbus%20Rapidfire%20.jpg)Modbus Rapidfire.jpg