On Mar 12, 2008, at 3:46 PM, Niko Kozobolidis wrote: > Dear Wireshark-users: > > Our Nicaraguan non-profit development organization is in the process > of trying to determine a operator panel periodic freeze. This > operator panel receives instructions from a controller. The > operating panel and controller automate the operations of a 930 kW > small hydro plant that provides electricity to a number of rural > towns and villages. > > The representative of the control system in Finland indicates that > we should tap directly into the cable that sends data back and forth > between the AC800M controller and the 235 Operator Panel. This is a > special cable that has a female 9-pin RS-232 plug on one end and an > RJ-45 male plug on the other end. A direct serial connection. How > can one capture Modbus traffic or in other words obtain a trace file > from this serial connection? > > The control system representative also says that the software must > support MODBUS protocol. When you open the Wireshark main page, > and drop-down the HELP menu, there is a part of the HELP that gives > a list of 911 protocols and packet types supported by Wireshark. > On this list we find MODBUS/TCP but not MODBUS. The > representative from Finland thinks that MODBUS is different from > MODBUS/TCP, and that we need Wireshark to support the MODBUS > protocol to analyze the AC800M-to-Operator Panel traffic. Is Modbus/ > Tcp different from Modbus and if so can wireshark capture traffic in > the Modbus protocol or possibly translate from one protocol to the > other?
Well: http://en.wikipedia.org/wiki/Modbus "For serial connections, two variants exist, with different representations of numerical data and slightly different protocol details. Modbus RTU is a compact, binary representation of the data. Modbus ASCII is human readable, and more verbose. Both of these variants use serial communication. The RTU format follows the commands/ data with a cyclic redundancy check checksum, while the ASCII format uses a longitudinal redundancy check checksum. Nodes configured for the RTU variant will not communicate with nodes set for ASCII, and the reverse. For connections over TCP/IP (e.g. Ethernet), the more recent variant Modbus/TCP exists. It is easier to implement than Modbus/ASCII or Modbus/RTU because it does not require a checksum calculation." Following links from there to http://www.modbus.org/ and then looking for the documentation, there's http://www.modbus.org/docs/PI_MBUS_300.pdf for an older specification for Modbus-over-serial-line, describing both ASCII and RTU, http://www.modbus.org/docs/Modbus_over_serial_line_V1_02.pdf for a newer specification, also describing both ASCII and RTU, and http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf for Modbus/TCP. If the application-layer portion of the protocol is the same for Modbus-over-serial and Modbus-over-TCP, most of Wireshark's dissection code could be used for both, although we might have to split the dissector up. However, the lowest layers transporting the application- layer PDUs are different, so, yes, "MODBUS" (by which I assume the representative from Finland means Modbus-over-serial, given that the device uses a serial connection) is different from Modbus-over-TCP. It appears that Modbus-over-serial uses standard asynchronous communication, with either 1) 8 bits plus a parity bit, 1 stop bit or 2) 8 bits without a parity bit, 2 stop bits so a standard computer's serial port hardware could handle it if it supports whatever the baud rate is for the controller. The framing for RTU mode is done with "silent times" on the serial line, which means software to capture those packets would have to look for those silent times to decide when a frame was done. For ASCII mode, a frame is terminated by a CR-LF pair. In theory, somebody could: get DLT_MODBUS_ASCII and/or DLT_MODBUS_RTU DLT_ values from tcpdump.org; write code to read Modbus packets from a serial line and supply them as DLT_MODBUS_ASCII or DLT_MODBUS_RTU, and add that to the libpcap/ WinPcap library; add support for DLT_MODBUS_ASCII and/or DLT_MODBUS_RTU to Wireshark, and build a version of Wireshark and run it using the modified version of libpcap/WinPcap; in which case if you were able to put a serial line tap of some sort on the serial line in question, you would be able to sniff the Modbus traffic in Wireshark. However, that would, as Jaap noted, not be an off-the-shelf solution. Searching for modbus analyzer in Google found some items such as http://www.commfront.com/RS232_Protocol_Analyzer_Monitor/Modbus-Control-Protocol-Analyzer.htm and http://www.modbus.org/viewdevice.php?id=453 and http://www.imperioustech.com/Pricing.html so it sounds as if off-the-shelf solutions exist. _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users