[Bro-Dev] [JIRA] (BIT-875) Modbus REF parameter

Fri, 04 Sep 2015 11:57:45 -0700 

     [ 
https://bro-tracker.atlassian.net/browse/BIT-875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Vlad Grigorescu updated BIT-875:
--------------------------------
    Labels: Modbus REF analyzer offset  (was: Modbus REF analyser, offset)

> Modbus REF parameter
> --------------------
>
>                 Key: BIT-875
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-875
>             Project: Bro Issue Tracker
>          Issue Type: Task
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: dina
>              Labels: Modbus, REF, analyzer, offset
>             Fix For: 2.5
>
>
> By  Modbus specification, different FC implicitly use different parts of the 
> PLC memory. Looking on the wire only, we do not see this. I think it would be 
> useful to include this knowledge about where is the specific data from a 
> packet supposed to be written in logs immediately.
> For example, fc=3,6,16 work with PLC memory addresses that are >40000, fc=4 
> work with values 30000-40000. On the wire we only see the REF parameter which 
> is typically 0-10000 (so its a 'local' offset), thus we do not see the memory 
> offset there. This part is implemented in the client by adding different 
> offsets to the REF value in each packet.  (e.g., if fc=3,6,16 use offset 
> 40000 so real_ref=40000+ref). I used these offsets to make logs in the .bro 
> script in my branch. 
> This division of 10000 addresses is sth I see as a practice on forums and 
> some unofficial manuals, but its not defined in the specification. I assume 
> that, based on PLC capacity, there could be different kind of division 
> between different parts of the memory map. 
> I suggest that we make a configuration file that defines the division of PLC 
> memory space and which offsets do specific FCs use. As default, we can put 
> this division which i see as common practice. In specific cases, users can 
> change that config file to do proper remapping.
> Seth, you can find a a bit more about this division (and exact offsets per 
> each FC) here: http://www.simplymodbus.ca/faq.htm



--
This message was sent by Atlassian JIRA
(v7.0.0-OD-02-259#70102)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to