First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Capturing Modbus RTU traffic with a USB-to-RS-485 converter

  • retag add tags

Hi, I am trying to use Wireshark 3.0.6 to decode Modbus RTU frames using a USB to RS-485 converter.

What I want is analyze the Modbus RTU frames that pass on the RS-485 between a Master and a Slave. The USB-Converter is connected to a laptop with wireshark.

Sometime appear on the wireshark capture some Modbus RTU frames, but they seems full wrong.

Someone with experience about Modbus RTU capture on Wireshark could help me to find the right setup ?

ABO's avatar
1
ABO
asked 2019-10-30 21:08:06 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2019-10-31 02:03:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Presumably the USB-to-RS-485 converter appears as a serial port (COM: port on Windows, /dev/ttyXX port on UN*Xes such as Linux, *BSD, and macOS). What program is reading the frames from the serial port? Wireshark doesn't have built-in support for doing that.

Guy Harris's avatar Guy Harris (2019-10-31 02:02:40 +0000) edit
more
  • delete

Hi Guy, yes i am using under windows (COM port). So, I need to have another program in parallel of Wireshark to read the frames on the serial port? Which program can I use?

I used now Modbuspoll to communicate to the slave modbus and trying to sniff the messages with wireshark. The same result. The decoding of the messages Modbus looks wrong: it decodes a lot of CRC errors.

Guy, could you help me to obtain what I want? I would like to use wireashark like Modbus RS-485 analyzer of the traffic Modbus on the bus. Is there a way with Wireshark?

ABO's avatar ABO (2019-10-31 08:30:37 +0000) edit
more
  • delete

I can't help with a Wireshark solution to your problem, but over in the automation world debugging serial communications comes up often:

http://www.plctalk.net/qanda/showthread.php?t=48875&highlight=modbus+rtu

The link contains several ideas on software to help with this type of analysis.

Bob Jones's avatar Bob Jones (2019-10-31 12:25:21 +0000) edit
more
  • delete

So, I need to have another program in parallel of Wireshark to read the frames on the serial port?

Yes. Wireshark does not include any code to read any type of packets directly from a serial port, so if you're capturing Modbus frames on a COM port, you must already have installed some other program to do so - what program have you already installed?

Which program can I use?

What program are you using now? As I said, you can't do it using only Wireshark, so you must have added some other program.

I used now Modbuspoll to communicate to the slave modbus and trying to sniff the messages with wireshark.

By "Modbuspoll" do you mean "Modbus poll" or do you mean something else?

And how are you "trying to sniff the messages with wireshark"? Are you capturing on a device in Wireshark? If so, wha device are ... (more)

Guy Harris's avatar Guy Harris (2019-10-31 15:50:43 +0000) edit
more
  • delete

Yes. Wireshark does not include any code to read any type of packets directly from a serial port, so if you're capturing Modbus frames on a COM port, you must already have installed some other program to do so - what program have you already installed? Do you mean that I have to forget Wireshark for this purpose? Or that I need to use also some other program to permit Wireshark to do his work? What it is not clear to me till now is if wireshark can or not sniff Modbus messages.

By "Modbuspoll" do you mean "Modbus poll" or do you mean something else? Yes, I use "Modbus poll". But it is not what I want. Modbus poll can communicate like Master or Slave device. What I want is only sniff the Modbus Messages on the bus without taking action from the computer on the bus.

If so ... (more)

ABO's avatar ABO (2019-10-31 19:12:22 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Wireshark can dissect Modbus messages when they are transported over IP networks, and a convenient, but not free, way to do this is via an Ethernet to Serial device, e.g. this Lantronix adaptor.

Using a device such as this, which creates a virtual serial port on the Modbus "Master", the master communicates over IP to the adaptor which is then connected to the RS-485 bus. Wireshark can be run on the master to capture the traffic and dissect it. I do this several times a week.

If you just want to "sniff" the data on the RS-485 bus then both external hardware and software will be required. If suitable hardware could be located (commercial or even better open hardware) then the Wireshark extcap interface could be used to feed the traffic into Wireshark.

grahamb's avatar
23.8k
grahamb
answered 2019-11-03 11:29:27 +0000
edit flag offensive 0 remove flag delete link
more

Comments

If suitable hardware could be located (commercial or even better open hardware) then the Wireshark extcap interface could be used to feed the traffic into Wireshark.

That would either require that the extcap program wrap the Modbus frames inside UDP-over-IP and use LINKTYPE_RAW as the link-ayer type or that a new LINKTYPE_/DLT_ value be assigned for Modbus RTU.

Guy Harris's avatar Guy Harris (2019-11-03 18:47:48 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer