I am using Wireshark to analyze Modbus data exchanged between a device and my PC. When I use Modbus "MODICOM FLT" preference I can see the floating point parameter I need (i.e. Register 5523). It has value 1234.900635 in the image below. How can I export this parameter for many times to make a time plot?. asked 24 Feb '17, 12:23 bmain57 |
One Answer:
This is probably better handled with
However, if you only want the value for register 5523, then I think this is only possible if there are always a fixed number of Windows: *nix: ... where (You can add other fields as well, such as Frame number, time, etc., if you like. Run " If you redirect the output to a file, you should be able to import it into another program (such as your favorite spreadsheet program), so that you can plot the values. answered 24 Feb '17, 13:52 cmaynard ♦♦ showing 5 of 21 show 16 more comments |
I really appreciate the time you spend giving me such a detailed response. And it works great for listing the register numbers. What I want, however, is the value of the register (in the example above (register 5523 has the value 1234.900635). I am writing a more detailed response to your answer in my "answer" below since it allows images.
I really appreciate your answer above! And it works great for listing the register numbers. When I use your first solution:
tshark -r modbusTrace.pcapng -Y "modbus.reg32" -T fields -e modbus.reg32 > test1.csv
I get all the register numbers. The image below shows a small piece of the test1.csv output file:
It is really interesting when I run your second solution, I get the vertical column of this table that that matches the number "N". So If I use N=20
tshark.exe -r modbusTrace.pcapng -Y "modbus.reg32" -o "gui.column.format:\"Register 5523\",\"%Cus:modbus.reg32:20\"" > test2.csv
I get just the 20th vertical column of the above table:
Now what I am really looking for is the value of a particular register, not the register number. For example, register 5523 has the value of 1234.900635
Is there a tshark command that will allow me to get that?
And I want to thank you so much for your previous response. Even though it didn't give me the exact parameter I wanted, I am learning more from your short comments that scouring manuals for hours.
What version of Wireshark are you using? Also, maybe you could post a small capture file (even one with a single packet should suffice) so folks can see exactly which field it is that you're interested in and how best to retrieve it.
I am using Wireshark 2.2.0 on Win7 64 bit. I would like to upload my trace file, how do I upload a file on this site? (Also, in my original question above do have an image of the Wireshark GUI which shows the register I am trying to get).
You can share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.
Edit your question with a link to the file.
OK, my sample trace is here: https://www.cloudshark.org/captures/cf81fdc7e257
OK, well with older versions of Wireshark (such as 1.12.13), you could do this:
I don't know how to achieve this same thing using newer versions of Wireshark, such as the version you're using. It seems that you can now only display the
modbus.reg32
value. This looks like a bug to me.I installed Wireshark 1.12.13 and ran the command you suggested, however I get the error message: tshark: Invalid -o flag "mbtcp.mbus_register_format:"
I just tried the command again and it worked. Can you post your entire command?
tshark.exe -r modbusTrace.pcapng -Y "modbus.register.modicon_float" -o mbtcp.mbus_register_format: "MODICON FLT" -o gui.column.format: "Register 5523","%Cus:modbus.register.modicon_float:143" > test5.csv
mbtcp.mbus_register_format: "MODICON FLT"
You have a space between the colon and the quote character. Try again with no space.
Here is the Command Line capture of the error:
C:\Users\bmain\Documents\Ansel\SSMM\PWM_SporaticError>tshark.exe -r modbusTrace. pcapng -Y "modbus.register.modicon_float" -o mbtcp.mbus_register_format: "MODICO N FLT" -o gui.column.format: "Register 5523","%Cus:modbus.register.modicon_float :143" > test5.csv
(tshark.exe:17620): WARNING : No such preference "modbus.mbus_register_form at" at line 3131 of C:\Users\bmain\AppData\Roaming\Wireshark\preferences (save preferences to remove this warning) tshark: Invalid -o flag "mbtcp.mbus_register_format:"
mbtcp.mbus_register_format: "MODICO N FLT"
Once again, you have a space between the colon and quote. Try removing it. And you seem to have added a space where it doesn't belong. It's not
"MODICO N FLT"
but"MODICON FLT"
.Since you seem to be having trouble with that command-line option, you can omit it if you've already set the preference in Wireshark. I merely added it to the command-line so it would always override whatever setting you might have had in Wireshark.
I fixed my spacing but now get a new error:
C:\Users\bmain\Documents\Ansel\SSMM\PWM_SporaticError>tshark.exe -r modbusTrace. pcapng -Y "modbus.register.modicon_float" -o mbtcp.mbus_register_format:"MODICON FLT" -o gui.column.format:"Register 5523","%Cus:modbus.register.modicon_float:1 43" > test5.csv
(tshark.exe:13608): WARNING : No such preference "modbus.mbus_register_form at" at line 3131 of C:\Users\bmain\AppData\Roaming\Wireshark\preferences (save preferences to remove this warning)
C:\Users\bmain\Documents\Ansel\SSMM\PWM_SporaticError>
Line 3131 is the last line of the sequence below.
Register Format
One of: UINT16 , INT16 , UINT32 , INT32 , IEEE FLT , MODICON FLT
(case-insensitive).
modbus.mbus_register_format: MODICON FLT
I also noticed that my preference file header says version 2.2.0 even though I uninstalled that version and installed 1.12.13 as you suggested earlier.
Try again line 3131 of preferences:
Register Format One of: UINT16 , INT16 , UINT32 , INT32 , IEEE FLT , MODICON FLT (case-insensitive). modbus.mbus_register_format: MODICON FLT
In my previous post I forgot to strip off the pound signs from the pref file test
Register Format
One of: UINT16 , INT16 , UINT32 , INT32 , IEEE FLT , MODICON FLT
(case-insensitive).
modbus.mbus_register_format: MODICON FLT
Can you upload your AppData\Roaming\Wireshark\preferences file for me if this is the issue?
So
tshark
is just warning you of an unknown preference, namelymodbus.mbus_register_form
. It's just a warning though. Did you look at the contents of yourtest5.csv
file? It should contain the information you're after.If you want to eliminate the warning, you can do as instructed and save your preferences file from Wireshark. When you do that, Wireshark should remove all unknown preferences. Another option is to simply rename your preferences file (e.g., preferences-2.2.0) and the next time you run the
tshark
command,tshark
will use default preferences except for any you specify on the command-line.Ideally this could be solved using Wireshark 2.2.x though. Perhaps it can be and I'm just missing something myself, but if it can't be, then a bug report should be opened because this seems like a regression to me. You shouldn't have to downgrade Wireshark to solve this problem. Wireshark bugs can be filed at https://bugs.wireshark.org/bugzilla/.
Yes, test5.csv does have the data!! Thanks for your patience in solving this issue. I am so relieved. I have requested a bugzilla login so I can submit the bug. By the way, while I am waiting for the fix, can I run two different versions of Wireshark on the same win7 computer? It seems like multiple versions will share the same preferences file and thus lead to some confusion (like the warning I was getting earlier).
can I run two different versions of Wireshark on the same win7 computer?
It should be possible, although only one of them can be associated with .pcap files though, and only one of them will take precedence if the installation directory is added to the %PATH%. But try installing the 2 versions in different locations to find out.
Alternatively ...