First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How can I verify if a Modbus TCP connection is being properly closed?

We are troubleshooting a possible problem where a Modbus TCP client is supposedly not closing Modbus TCP connections with the Modbus Master, and after a while the Modbus master rejects any further attemps for TCP connections. The thing is, that we do not know which TCP client might be the culprit.

What would be the proper way to capture and filter TCP flows between two hostos to verify if the Modbus TCP connections are being properly closed (and thus not left "hanging" using up resources)? Not sure if this can be done with the "conversation" feature or some other way?

Tank you in advance for any advice you can provide.

frank66's avatar
1
frank66
asked 2023-08-02 23:18:50 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Chuck, thank you for the input, very useful indeed.

The TCP completness analysis has allowed us to identify a device in our network that is generating a lot of incomplete TCP connections that I think are causing this problem. I might add that the troublesome device is a Teltonika 4G router that is reading Modbus TCP holding registers and is generating a lot of incomplete TCP connections that can be filtered with the ´tcp.completeness==30´ view filter that basically shows you anytime a TCP connection is not properly closed or completed. Additional info about this can be found here: https://www.qacafe.com/resources/abou...

When we use a Node-Red simulator with the exact same Modbus poll sent by the router, we see no failures, so I think we have found the problem. Thank you Wireshark.

frank66's avatar frank66 (2023-08-03 02:30:39 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Can you do it with TCP Conversation Completeness?
See 7.5. TCP Analysis in the WSUG (Wireshark User’s Guide).

Chuckc's avatar
3k
Chuckc
answered 2023-08-03 00:34:20 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Chuck, thank you for the input, very useful indeed.

The TCP completness analysis has allowed us to identify a device in our network that is generating a lot of incomplete TCP connections that I think are causing this problem. I might add that the troublesome device is a Teltonika 4G router that is reading Modbus TCP holding registers and is generating a lot of incomplete TCP connections that can be filtered with the ´tcp.completeness==30´ view filter that basically shows you anytime a TCP connection is not properly closed or completed.

Additional info about this type of analysis can be found here (very straight-forward and easy to understand): [https://www.qacafe.com/resources/abou...]

When we use a Node-Red simulator with the exact same Modbus poll sent by the router, we see no failures, so I think we have found the problem. Thank you Wireshark.

frank66's avatar frank66 (2023-08-03 02:33:55 +0000) edit
more
  • delete

30 is an even number and if there is a SYN then completeness should be odd.
You might want to try a development build which would include 10686: TCP: Conversation Completeness wrong value for some protocols

Chuckc's avatar Chuckc (2023-08-03 03:16:45 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer