First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Response times = delta times after reordering (sorting) the row values.

  • retag add tags

Does anyone know how to display delta times between packets (line after line) BUT even after ordering rows by some column (so the delta times will be updated after the reorder)?

I'm doing some testing with multiple Modbus TCP/IP connections and I'm interested in response times I'm getting from some devices. I see and can identify those responses in Wireshark but I cannot clearly see the response times. What I'm doing is ordering packets by tcp.stream and timetamps to have a clear view of every request -> response entries. So stream by stream (device by device), one line is a request, another one is a response (and so on). The problem is when you use ordering, Delta Time displayed nor Delta Time will show the actual delta time between response/request as ordering by stream won't update those delta time values. Without ordering though, my current delta times are incorrect as I have multiple Modbus devices so request/response packets are mixed because all those devices are communicating at the same time. That's why I have to order rows by tcp.stream.

I've found TCPextend lua file which adds another delta column but this one shows "time since the previous packet was transmitted from the same source" so now I see "request+response" times while I only care about response times. I know I can use, for example, Excel for this but I would really want to have it working in Wireshark.

Thanks for any help!

pcm's avatar
3
pcm
asked 2019-02-16 12:38:43 +0000, updated 2019-02-17 20:54:45 +0000
edit flag offensive 0 remove flag close merge delete

Comments

So is what you really want the time between a Modbus request and the reply to that request, and the Modbus dissector isn't displaying that, so you're using the delta time column for that, instead?

Guy Harris's avatar Guy Harris (2019-02-16 21:27:43 +0000) edit
more
  • delete

Yes, correct.

pcm's avatar pcm (2019-02-17 20:12:07 +0000) edit
more
  • delete
add a comment see more comments

3 Answers

1

OK, I've just checked in a change to, for Modbus reply packets, giving the time difference between the matching request and the reply. It shows up right after the frame number of the packet containing the matching request; the field name is "modbus.response_time", and you can make it a custom column so it shows up as a column.

It will be available in Wireshark 3.0; if you want to experiment with it, you can go to the "Go Spelunking" section of the Wireshark download page, select one of the download sites (3 in Europe, 2 in Asia, 3 in the US), go to "automated", and select:

  • win32 for 32-bit Windows;
  • win64 for 64-bit Windows;
  • osx for macOS;
  • src for the source code, which you'll need to compile for other platforms (Linux, *BSD, Solaris, etc.).

Pick one of the "wireshark-3.0.0rc1" files - choose the newest one. These are "release candidate" builds, and may have issues (the first announced release candidate had some macOS issues that needed to be fixed, for example). Report any problems on the Wireshark Bugzilla.

If the request/response time information there solves the underlying problem you're trying to solve, let us know.

Guy Harris's avatar
19.9k
Guy Harris
answered 2019-02-17 04:18:01 +0000
edit flag offensive 0 remove flag delete link
more

Comments

That's amazing. Thank you Guy, that will be really helpful. I did a check of your change with some random modbus pcap and it seems it's doing the job. I'll do some real testing tomorrow with our data.

pcm's avatar pcm (2019-02-17 20:26:16 +0000) edit
more
  • delete
add a comment see more comments
0

Your description is a little confusing. Have you tried filtering by tcp stream, tcp.stream eq xxx where xxx is the stream number of interest, and then ordering by frame No. (the default) and adding a column for the time delta from previous displayed frame? The filter will restrict the display to a particular device (assuming one stream per device), and then the delta between displayed frames should be correct.

grahamb's avatar
23.8k
grahamb
answered 2019-02-16 21:49:30 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks. It is a solution, you're correct. However it's not that handy with larger number of devices (=streams) you want to check.

pcm's avatar pcm (2019-02-17 20:27:22 +0000) edit
more
  • delete

In that case I would use tshark, the command line version of Wireshark and automate via some scripting.

grahamb's avatar grahamb (2019-02-18 09:54:55 +0000) edit
more
  • delete
add a comment see more comments
0

It's not in Wireshark, but I think you are trying to do the same thing as here?

I don't think Wireshark has any built in tool to analyse Modbus in this way.

Bob Jones's avatar
1.5k
Bob Jones
answered 2019-02-16 17:49:32 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks. Yes, I know that it would be very easy with other tool. I don't work too much with networking so sticking to freeware Wireshark would be the best option for me.

pcm's avatar pcm (2019-02-17 20:28:54 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer