2 * Routines for Modbus/TCP and Modbus/UDP dissection
3 * By Riaan Swart <rswart@cs.sun.ac.za>
4 * Copyright 2001, Institute for Applied Computer Science
5 * University of Stellenbosch
7 * See http://www.modbus.org/ for information on Modbus/TCP.
9 * Updated to v1.1b of the Modbus Application Protocol specification
10 * Michael Mann * Copyright 2011
12 *****************************************************************************************************
13 * A brief explanation of the distinction between Modbus/TCP and Modbus RTU over TCP:
15 * Consider a Modbus poll message: Unit 01, Scan Holding Register Address 0 for 30 Registers
17 * The Modbus/TCP message structure will follow the pattern below:
18 * 00 00 00 00 00 06 01 03 00 00 00 1E
19 * AA AA BB BB CC CC DD EE FF FF GG GG
21 * A = 16-bit Transaction Identifier (typically increments, or is locked at zero)
22 * B = 16-bit Protocol Identifier (typically zero)
23 * C = 16-bit Length of data payload following (and inclusive of) the length byte
24 * D = 8-bit Unit / Slave ID
25 * E = 8-bit Modbus Function Code
26 * F = 16-bit Reference Number / Register Base Address
27 * G = 16-bit Word Count / Number of Registers to scan
29 * A identical Modbus RTU (or Modbus RTU over TCP) message will overlay partially with the msg above
30 * and contain 16-bit CRC at the end:
31 * 00 00 00 00 00 06 01 03 00 00 00 1E -- -- (Modbus/TCP message, repeated from above)
32 * -- -- -- -- -- -- 01 03 00 00 00 1E C5 C2 (Modbus RTU over TCP message, includes 16-bit CRC footer)
33 * AA AA BB BB CC CC DD EE FF FF GG GG HH HH
35 * A = Not present in Modbus RTU message
36 * B = Not present in Modbus RTU message
37 * C = Not present in Modbus RTU message
38 * D = 8-bit Unit / Slave ID
39 * E = 8-bit Modbus Function Code
40 * F = 16-bit Reference Number / Register Base Address
41 * G = 16-bit Word Count / Number of Registers to scan
44 *****************************************************************************************************
45 * Wireshark - Network traffic analyzer
46 * By Gerald Combs <gerald@wireshark.org>
47 * Copyright 1998 Gerald Combs
49 * This program is free software; you can redistribute it and/or
50 * modify it under the terms of the GNU General Public License
51 * as published by the Free Software Foundation; either version 2
52 * of the License, or (at your option) any later version.
54 * This program is distributed in the hope that it will be useful,
55 * but WITHOUT ANY WARRANTY; without even the implied warranty of
56 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
57 * GNU General Public License for more details.
59 * You should have received a copy of the GNU General Public License
60 * along with this program; if not, write to the Free Software
61 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
66 #include <epan/packet.h>
67 #include "packet-tcp.h"
68 #include "packet-mbtcp.h"
69 #include <epan/prefs.h>
70 #include <epan/prefs-int.h>
71 #include <epan/expert.h>
72 #include <epan/crc16-tvb.h> /* For CRC verification */
73 #include <epan/proto_data.h>
75 void proto_register_modbus(void);
76 void proto_reg_handoff_mbtcp(void);
77 void proto_reg_handoff_mbrtu(void);
79 /* Initialize the protocol and registered fields */
80 static int proto_mbtcp = -1;
81 static int proto_mbudp = -1;
82 static int proto_mbrtu = -1;
83 static int proto_modbus = -1;
84 static int hf_mbtcp_transid = -1;
85 static int hf_mbtcp_protid = -1;
86 static int hf_mbtcp_len = -1;
87 static int hf_mbtcp_unitid = -1;
88 static int hf_modbus_request_frame = -1;
89 static int hf_modbus_functioncode = -1;
90 static int hf_modbus_reference = -1;
91 static int hf_modbus_padding = -1;
92 static int hf_modbus_lreference = -1;
93 static int hf_modbus_reftype = -1;
94 static int hf_modbus_readref = -1;
95 static int hf_modbus_writeref = -1;
96 static int hf_modbus_wordcnt = -1;
97 static int hf_modbus_readwordcnt = -1;
98 static int hf_modbus_writewordcnt = -1;
99 static int hf_modbus_bytecnt = -1;
100 static int hf_modbus_lbytecnt = -1;
101 static int hf_modbus_bitcnt = -1;
102 static int hf_modbus_exceptioncode = -1;
103 static int hf_modbus_diag_sf = -1;
104 static int hf_modbus_diag_return_query_data_request = -1;
105 static int hf_modbus_diag_return_query_data_echo = -1;
106 static int hf_modbus_diag_restart_communication_option = -1;
107 static int hf_modbus_diag_return_diag_register = -1;
108 static int hf_modbus_diag_ascii_input_delimiter = -1;
109 static int hf_modbus_diag_clear_ctr_diag_reg = -1;
110 static int hf_modbus_diag_return_bus_message_count = -1;
111 static int hf_modbus_diag_return_bus_comm_error_count = -1;
112 static int hf_modbus_diag_return_bus_exception_error_count = -1;
113 static int hf_modbus_diag_return_slave_message_count = -1;
114 static int hf_modbus_diag_return_no_slave_response_count = -1;
115 static int hf_modbus_diag_return_slave_nak_count = -1;
116 static int hf_modbus_diag_return_slave_busy_count = -1;
117 static int hf_modbus_diag_return_bus_char_overrun_count = -1;
118 static int hf_modbus_status = -1;
119 static int hf_modbus_event = -1;
120 static int hf_modbus_event_count = -1;
121 static int hf_modbus_message_count = -1;
122 static int hf_modbus_event_recv_comm_err = -1;
123 static int hf_modbus_event_recv_char_over = -1;
124 static int hf_modbus_event_recv_lo_mode = -1;
125 static int hf_modbus_event_recv_broadcast = -1;
126 static int hf_modbus_event_send_read_ex = -1;
127 static int hf_modbus_event_send_slave_abort_ex = -1;
128 static int hf_modbus_event_send_slave_busy_ex = -1;
129 static int hf_modbus_event_send_slave_nak_ex = -1;
130 static int hf_modbus_event_send_write_timeout = -1;
131 static int hf_modbus_event_send_lo_mode = -1;
132 static int hf_modbus_andmask = -1;
133 static int hf_modbus_ormask = -1;
134 static int hf_modbus_data = -1;
135 static int hf_modbus_mei = -1;
136 static int hf_modbus_read_device_id = -1;
137 static int hf_modbus_object_id = -1;
138 static int hf_modbus_num_objects = -1;
139 static int hf_modbus_list_object_len = -1;
140 static int hf_modbus_conformity_level = -1;
141 static int hf_modbus_more_follows = -1;
142 static int hf_modbus_next_object_id = -1;
143 static int hf_modbus_object_str_value = -1;
144 static int hf_modbus_object_value = -1;
145 static int hf_modbus_reg16 = -1;
146 static int hf_modbus_reg32 = -1;
147 static int hf_mbrtu_unitid = -1;
148 static int hf_mbrtu_crc16 = -1;
149 static int hf_mbrtu_crc16_status = -1;
151 /* Initialize the subtree pointers */
152 static gint ett_mbtcp = -1;
153 static gint ett_mbrtu = -1;
154 static gint ett_modbus_hdr = -1;
155 static gint ett_group_hdr = -1;
156 static gint ett_events = -1;
157 static gint ett_events_recv = -1;
158 static gint ett_events_send = -1;
159 static gint ett_device_id_objects = -1;
160 static gint ett_device_id_object_items = -1;
162 static expert_field ei_mbrtu_crc16_incorrect = EI_INIT;
163 static expert_field ei_modbus_data_decode = EI_INIT;
164 static expert_field ei_mbtcp_cannot_classify = EI_INIT;
166 static dissector_handle_t modbus_handle;
167 static dissector_handle_t mbtcp_handle;
168 static dissector_handle_t mbudp_handle;
169 static dissector_handle_t mbrtu_handle;
171 static dissector_table_t modbus_data_dissector_table;
172 static dissector_table_t modbus_dissector_table;
175 /* Globals for Modbus/TCP Preferences */
176 static gboolean mbtcp_desegment = TRUE;
177 static guint global_mbus_tcp_port = PORT_MBTCP; /* Port 502, by default */
178 static guint global_mbus_udp_port = PORT_MBTCP; /* Port 502, by default */
180 /* Globals for Modbus RTU over TCP Preferences */
181 static gboolean mbrtu_desegment = TRUE;
182 static guint global_mbus_tcp_rtu_port = PORT_MBRTU; /* 0, by default */
183 static guint global_mbus_udp_rtu_port = PORT_MBRTU; /* 0, by default */
184 static gboolean mbrtu_crc = FALSE;
186 /* Globals for Modbus Preferences */
187 static gint global_mbus_register_format = MODBUS_PREF_REGISTER_FORMAT_UINT16;
190 classify_mbtcp_packet(packet_info *pinfo, guint port)
192 /* see if nature of packets can be derived from src/dst ports */
193 /* if so, return as found */
195 /* XXX Update Oct 2012 - It can be difficult to determine if a packet is a query or response; some way to track */
196 /* the Modbus/TCP transaction ID for each pair of messages would allow for detection based on a new seq. number. */
197 /* Otherwise, we can stick with this method; a configurable port option has been added to allow for usage of */
198 /* user ports either than the default of 502. */
199 if (( pinfo->srcport == port ) && ( pinfo->destport != port ))
200 return RESPONSE_PACKET;
201 if (( pinfo->srcport != port ) && ( pinfo->destport == port ))
204 /* else, cannot classify */
205 return CANNOT_CLASSIFY;
209 classify_mbrtu_packet(packet_info *pinfo, tvbuff_t *tvb, guint port)
213 func = tvb_get_guint8(tvb, 1);
214 len = tvb_reported_length(tvb);
216 /* see if nature of packets can be derived from src/dst ports */
217 /* if so, return as found */
218 if (( pinfo->srcport == port ) && ( pinfo->destport != port ))
219 return RESPONSE_PACKET;
220 if (( pinfo->srcport != port ) && ( pinfo->destport == port ))
224 /* We may not have an Ethernet header or unique ports. */
225 /* Dig into these a little deeper to try to guess the message type */
227 /* The 'exception' bit is set, so this is a response */
229 return RESPONSE_PACKET;
233 case READ_DISCRETE_INPUTS:
234 /* Only possible to get a response message of 8 bytes with Discrete or Coils */
236 /* If this is, in fact, a response then the data byte count will be 3 */
237 /* This will correctly identify all messages except for those that are discrete or coil polls */
238 /* where the base address range happens to have 0x03 in the upper 16-bit address register */
239 if (tvb_get_guint8(tvb, 2) == 3) {
240 return RESPONSE_PACKET;
247 return RESPONSE_PACKET;
251 case READ_HOLDING_REGS:
252 case READ_INPUT_REGS:
253 case WRITE_SINGLE_COIL:
254 case WRITE_SINGLE_REG:
259 return RESPONSE_PACKET;
263 case WRITE_MULT_REGS:
264 case WRITE_MULT_COILS:
266 return RESPONSE_PACKET;
275 /* else, cannot classify */
276 return CANNOT_CLASSIFY;
279 /* Translate function to string, as given on p6 of
280 * "Open Modbus/TCP Specification", release 1 by Andy Swales.
282 static const value_string function_code_vals[] = {
283 { READ_COILS, "Read Coils" },
284 { READ_DISCRETE_INPUTS, "Read Discrete Inputs" },
285 { READ_HOLDING_REGS, "Read Holding Registers" },
286 { READ_INPUT_REGS, "Read Input Registers" },
287 { WRITE_SINGLE_COIL, "Write Single Coil" },
288 { WRITE_SINGLE_REG, "Write Single Register" },
289 { READ_EXCEPT_STAT, "Read Exception Status" },
290 { DIAGNOSTICS, "Diagnostics" },
291 { GET_COMM_EVENT_CTRS, "Get Comm. Event Counters" },
292 { GET_COMM_EVENT_LOG, "Get Comm. Event Log" },
293 { WRITE_MULT_COILS, "Write Multiple Coils" },
294 { WRITE_MULT_REGS, "Write Multiple Registers" },
295 { REPORT_SLAVE_ID, "Report Slave ID" },
296 { READ_FILE_RECORD, "Read File Record" },
297 { WRITE_FILE_RECORD, "Write File Record" },
298 { MASK_WRITE_REG, "Mask Write Register" },
299 { READ_WRITE_REG, "Read Write Register" },
300 { READ_FIFO_QUEUE, "Read FIFO Queue" },
301 { ENCAP_INTERFACE_TRANSP, "Encapsulated Interface Transport" },
302 { UNITY_SCHNEIDER, "Unity (Schneider)" },
306 /* Translate exception code to string */
307 static const value_string exception_code_vals[] = {
308 { ILLEGAL_FUNCTION, "Illegal function" },
309 { ILLEGAL_ADDRESS, "Illegal data address" },
310 { ILLEGAL_VALUE, "Illegal data value" },
311 { SLAVE_FAILURE, "Slave device failure" },
312 { ACKNOWLEDGE, "Acknowledge" },
313 { SLAVE_BUSY, "Slave device busy" },
314 { MEMORY_ERR, "Memory parity error" },
315 { GATEWAY_UNAVAILABLE, "Gateway path unavailable" },
316 { GATEWAY_TRGT_FAIL, "Gateway target device failed to respond" },
320 /* Translate Modbus Encapsulation Interface (MEI) code to string */
321 static const value_string encap_interface_code_vals[] = {
322 { CANOPEN_REQ_RESP, "CANopen Request/Response " },
323 { READ_DEVICE_ID, "Read Device Identification" },
327 /* Translate Modbus Diagnostic subfunction code to string */
328 static const value_string diagnostic_code_vals[] = {
329 { RETURN_QUERY_DATA, "Return Query Data" },
330 { RESTART_COMMUNICATION_OPTION, "Restart Communications Option" },
331 { RETURN_DIAGNOSTIC_REGISTER, "Return Diagnostic Register" },
332 { CHANGE_ASCII_INPUT_DELIMITER, "Change ASCII Input Delimiter" },
333 { FORCE_LISTEN_ONLY_MODE, "Force Listen Only Mode" },
334 { CLEAR_COUNTERS_AND_DIAG_REG, "Clear Counters and Diagnostic Register" },
335 { RETURN_BUS_MESSAGE_COUNT, "Return Bus Message Count" },
336 { RETURN_BUS_COMM_ERROR_COUNT, "Return Bus Communication Error Count" },
337 { RETURN_BUS_EXCEPTION_ERROR_COUNT, "Return Bus Exception Error Count" },
338 { RETURN_SLAVE_MESSAGE_COUNT, "Return Slave Message Count" },
339 { RETURN_SLAVE_NO_RESPONSE_COUNT, "Return Slave No Response Count" },
340 { RETURN_SLAVE_NAK_COUNT, "Return Slave NAK Count" },
341 { RETURN_SLAVE_BUSY_COUNT, "Return Slave Busy Count" },
342 { RETURN_BUS_CHAR_OVERRUN_COUNT, "Return Bus Character Overrun Count" },
343 { CLEAR_OVERRUN_COUNTER_AND_FLAG, "Clear Overrun Counter and Flag" },
347 static const value_string diagnostic_restart_communication_option_vals[] = {
349 { 0xFF, "Clear Log" },
353 /* Translate read device code to string */
354 static const value_string read_device_id_vals[] = {
355 { 1, "Basic Device Identification" },
356 { 2, "Regular Device Identification" },
357 { 3, "Extended Device Identification" },
358 { 4, "Specific Identification Object" },
363 /* Translate read device code to string */
364 static const value_string object_id_vals[] = {
366 { 1, "ProductCode" },
367 { 2, "MajorMinorRevision" },
369 { 4, "ProductName" },
371 { 6, "UserApplicationName" },
376 static const value_string conformity_level_vals[] = {
377 { 0x01, "Basic Device Identification (stream)" },
378 { 0x02, "Regular Device Identification (stream)" },
379 { 0x03, "Extended Device Identification (stream)" },
380 { 0x81, "Basic Device Identification (stream and individual)" },
381 { 0x82, "Regular Device Identification (stream and individual)" },
382 { 0x83, "Extended Device Identification (stream and individual)" },
387 static const enum_val_t mbus_register_format[] = {
388 { "UINT16 ", "UINT16 ", MODBUS_PREF_REGISTER_FORMAT_UINT16 },
389 { "INT16 ", "INT16 ", MODBUS_PREF_REGISTER_FORMAT_INT16 },
390 { "UINT32 ", "UINT32 ", MODBUS_PREF_REGISTER_FORMAT_UINT32 },
391 { "INT32 ", "INT32 ", MODBUS_PREF_REGISTER_FORMAT_INT32 },
392 { "IEEE FLT ", "IEEE FLT ", MODBUS_PREF_REGISTER_FORMAT_IEEE_FLOAT },
393 { "MODICON FLT", "MODICON FLT", MODBUS_PREF_REGISTER_FORMAT_MODICON_FLOAT },
397 /* Code to dissect Modbus/TCP packets */
399 dissect_mbtcp_pdu_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, int proto, guint port)
401 /* Set up structures needed to add the protocol subtree and manage it */
403 proto_tree *mbtcp_tree;
404 int offset, packet_type;
406 const char *func_string = "";
407 const char *pkt_type_str = "";
408 const char *err_str = "";
409 guint16 transaction_id, protocol_id, len;
410 guint8 unit_id, function_code, exception_code, subfunction_code;
412 transaction_id = tvb_get_ntohs(tvb, 0);
413 protocol_id = tvb_get_ntohs(tvb, 2);
414 len = tvb_get_ntohs(tvb, 4);
416 unit_id = tvb_get_guint8(tvb, 6);
417 function_code = tvb_get_guint8(tvb, 7) & 0x7F;
421 /* "Request" or "Response" */
422 packet_type = classify_mbtcp_packet(pinfo, port);
424 switch ( packet_type ) {
426 pkt_type_str="Query";
428 case RESPONSE_PACKET :
429 pkt_type_str="Response";
431 case CANNOT_CLASSIFY :
432 err_str="Unable to classify as query or response.";
433 pkt_type_str="unknown";
439 /* Find exception - last bit set in function code */
440 if (tvb_get_guint8(tvb, 7) & 0x80) {
441 exception_code = tvb_get_guint8(tvb, offset + 8);
447 if ((function_code == ENCAP_INTERFACE_TRANSP) && (exception_code == 0)) {
448 func_string = val_to_str_const(tvb_get_guint8(tvb, offset + 8), encap_interface_code_vals, "Encapsulated Interface Transport");
449 subfunction_code = 1;
451 else if ((function_code == DIAGNOSTICS) && (exception_code == 0)) {
452 func_string = val_to_str_const(tvb_get_ntohs(tvb, offset + 8), diagnostic_code_vals, "Diagnostics");
453 subfunction_code = 1;
456 func_string = val_to_str(function_code, function_code_vals, "Unknown function (%d)");
457 subfunction_code = 0;
460 if ( exception_code != 0 )
461 err_str="Exception returned ";
463 /* Make entries in Info column on summary display */
464 if (subfunction_code == 0) {
465 if (strlen(err_str) > 0) {
466 col_add_fstr(pinfo->cinfo, COL_INFO,
467 "%8s: Trans: %5u; Unit: %3u, Func: %3u: %s. %s",
468 pkt_type_str, transaction_id, unit_id,
469 function_code, func_string, err_str);
472 col_add_fstr(pinfo->cinfo, COL_INFO,
473 "%8s: Trans: %5u; Unit: %3u, Func: %3u: %s",
474 pkt_type_str, transaction_id, unit_id,
475 function_code, func_string);
479 if (strlen(err_str) > 0) {
480 col_add_fstr(pinfo->cinfo, COL_INFO,
481 "%8s: Trans: %5u; Unit: %3u, Func: %3u/%3u: %s. %s",
482 pkt_type_str, transaction_id, unit_id,
483 function_code, subfunction_code, func_string, err_str);
486 col_add_fstr(pinfo->cinfo, COL_INFO,
487 "%8s: Trans: %5u; Unit: %3u, Func: %3u/%3u: %s",
488 pkt_type_str, transaction_id, unit_id,
489 function_code, subfunction_code, func_string);
493 /* Create protocol tree */
494 mi = proto_tree_add_item(tree, proto, tvb, offset, len+6, ENC_NA);
495 mbtcp_tree = proto_item_add_subtree(mi, ett_mbtcp);
497 if (packet_type == CANNOT_CLASSIFY)
498 expert_add_info(pinfo, mi, &ei_mbtcp_cannot_classify);
500 /* Add items to protocol tree specific to Modbus/TCP */
501 proto_tree_add_uint(mbtcp_tree, hf_mbtcp_transid, tvb, offset, 2, transaction_id);
502 proto_tree_add_uint(mbtcp_tree, hf_mbtcp_protid, tvb, offset + 2, 2, protocol_id);
503 proto_tree_add_uint(mbtcp_tree, hf_mbtcp_len, tvb, offset + 4, 2, len);
504 proto_tree_add_uint(mbtcp_tree, hf_mbtcp_unitid, tvb, offset + 6, 1, unit_id);
506 /* dissect the Modbus PDU */
507 next_tvb = tvb_new_subset_length( tvb, offset+7, len-1);
509 /* Continue with dissection of Modbus data payload following Modbus/TCP frame */
510 if( tvb_reported_length_remaining(tvb, offset) > 0 )
511 call_dissector_with_data(modbus_handle, next_tvb, pinfo, tree, &packet_type);
513 return tvb_captured_length(tvb);
517 dissect_mbtcp_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
519 /* Make entries in Protocol column on summary display */
520 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Modbus/TCP");
521 col_clear(pinfo->cinfo, COL_INFO);
523 return dissect_mbtcp_pdu_common(tvb, pinfo, tree, proto_mbtcp, global_mbus_tcp_port);
526 /* Code to dissect Modbus RTU */
528 dissect_mbrtu_pdu_common(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint port)
530 /* Set up structures needed to add the protocol subtree and manage it */
532 proto_tree *mbrtu_tree;
533 int offset, packet_type;
535 const char *func_string = "";
536 const char *pkt_type_str = "";
537 const char *err_str = "";
538 guint16 len, calc_crc16;
539 guint8 unit_id, function_code, exception_code, subfunction_code;
541 /* Make entries in Protocol column on summary display */
542 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Modbus RTU");
543 col_clear(pinfo->cinfo, COL_INFO);
545 len = tvb_reported_length(tvb);
547 unit_id = tvb_get_guint8(tvb, 0);
548 function_code = tvb_get_guint8(tvb, 1) & 0x7F;
552 /* "Request" or "Response" */
553 packet_type = classify_mbrtu_packet(pinfo, tvb, port);
555 switch ( packet_type ) {
557 pkt_type_str="Query";
559 case RESPONSE_PACKET :
560 pkt_type_str="Response";
562 case CANNOT_CLASSIFY :
563 err_str="Unable to classify as query or response.";
564 pkt_type_str="unknown";
570 /* Find exception - last bit set in function code */
571 if (tvb_get_guint8(tvb, 1) & 0x80) {
572 exception_code = tvb_get_guint8(tvb, offset + 2);
578 if ((function_code == ENCAP_INTERFACE_TRANSP) && (exception_code == 0)) {
579 func_string = val_to_str_const(tvb_get_guint8(tvb, offset + 2), encap_interface_code_vals, "Encapsulated Interface Transport");
580 subfunction_code = 1;
582 else if ((function_code == DIAGNOSTICS) && (exception_code == 0)) {
583 func_string = val_to_str_const(tvb_get_ntohs(tvb, offset + 2), diagnostic_code_vals, "Diagnostics");
584 subfunction_code = 1;
587 func_string = val_to_str(function_code, function_code_vals, "Unknown function (%d)");
588 subfunction_code = 0;
591 if ( exception_code != 0 )
592 err_str="Exception returned ";
594 /* Make entries in Info column on summary display */
595 if (subfunction_code == 0) {
596 if (strlen(err_str) > 0) {
597 col_add_fstr(pinfo->cinfo, COL_INFO,
598 "%8s: Unit: %3u, Func: %3u: %s. %s",
599 pkt_type_str, unit_id,
600 function_code, func_string, err_str);
603 col_add_fstr(pinfo->cinfo, COL_INFO,
604 "%8s: Unit: %3u, Func: %3u: %s",
605 pkt_type_str, unit_id,
606 function_code, func_string);
610 if (strlen(err_str) > 0) {
611 col_add_fstr(pinfo->cinfo, COL_INFO,
612 "%8s: Unit: %3u, Func: %3u/%3u: %s. %s",
613 pkt_type_str, unit_id,
614 function_code, subfunction_code, func_string, err_str);
617 col_add_fstr(pinfo->cinfo, COL_INFO,
618 "%8s: Unit: %3u, Func: %3u/%3u: %s",
619 pkt_type_str, unit_id,
620 function_code, subfunction_code, func_string);
624 /* Create protocol tree */
625 mi = proto_tree_add_protocol_format(tree, proto_mbrtu, tvb, offset,
627 mbrtu_tree = proto_item_add_subtree(mi, ett_mbrtu);
629 /* Add items to protocol tree specific to Modbus RTU */
630 proto_tree_add_uint(mbrtu_tree, hf_mbrtu_unitid, tvb, offset, 1, unit_id);
635 calc_crc16 = crc16_plain_tvb_offset_seed(tvb, offset, len-2, 0xFFFF);
636 proto_tree_add_checksum(mbrtu_tree, tvb, len-2, hf_mbrtu_crc16, hf_mbrtu_crc16_status, &ei_mbrtu_crc16_incorrect, pinfo, g_htons(calc_crc16), ENC_BIG_ENDIAN, PROTO_CHECKSUM_VERIFY);
640 proto_tree_add_checksum(mbrtu_tree, tvb, len-2, hf_mbrtu_crc16, hf_mbrtu_crc16_status, &ei_mbrtu_crc16_incorrect, pinfo, 0, ENC_BIG_ENDIAN, PROTO_CHECKSUM_NO_FLAGS);
643 /* when determining payload length, make sure to ignore the unit ID header & CRC-16 footer bytes */
646 /* dissect the Modbus PDU */
647 next_tvb = tvb_new_subset_length( tvb, offset+1, len);
649 /* Continue with dissection of Modbus data payload following Modbus RTU frame */
650 if( tvb_reported_length_remaining(tvb, offset) > 0 )
651 call_dissector_with_data(modbus_handle, next_tvb, pinfo, tree, &packet_type);
653 return tvb_captured_length(tvb);
656 /* Code to dissect Modbus RTU over TCP packets */
658 dissect_mbrtu_pdu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
660 return dissect_mbrtu_pdu_common(tvb, pinfo, tree, global_mbus_tcp_rtu_port);
663 /* Return length of Modbus/TCP message */
665 get_mbtcp_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb, int offset, void *data _U_)
670 * Get the length of the data from the encapsulation header.
672 plen = tvb_get_ntohs(tvb, offset + 4);
675 * That length doesn't include the encapsulation header itself;
681 /* Return length of Modbus RTU over TCP message */
683 get_mbrtu_pdu_len(packet_info *pinfo _U_, tvbuff_t *tvb,
684 int offset _U_, void *data _U_)
687 guint8 function_code;
689 function_code = tvb_get_guint8(tvb, 1);
691 /* Modbus RTU requests do not contain a length field but they are typically a consistent size.
692 Responses do contain a usable 'length' byte at offset 2
693 XXX - Note that only some function codes are supported by this lookup function;
694 the rest can be added as pcap examples are made available */
696 /* Determine "Query" or "Response" */
697 packet_type = classify_mbrtu_packet(pinfo, tvb, global_mbus_tcp_rtu_port);
699 switch ( packet_type ) {
701 switch (function_code) {
702 case READ_COILS: /* Query messages of these types are always 8 bytes */
703 case READ_DISCRETE_INPUTS:
704 case READ_HOLDING_REGS:
705 case READ_INPUT_REGS:
706 case WRITE_SINGLE_COIL:
707 case WRITE_SINGLE_REG:
710 case WRITE_MULT_REGS:
711 case WRITE_MULT_COILS:
712 return tvb_get_guint8(tvb, 6) + 9; /* Reported size does not include 2 header, 4 FC15/16-specific, 1 size byte or 2 CRC16 bytes */
715 return tvb_captured_length(tvb); /* Fall back on tvb length */
718 case RESPONSE_PACKET :
719 /* The 'exception' bit is set, so this is a 5-byte response */
720 if (function_code & 0x80) {
724 switch (function_code) {
726 case READ_DISCRETE_INPUTS:
727 case READ_HOLDING_REGS:
728 case READ_INPUT_REGS:
729 case WRITE_SINGLE_COIL:
730 case WRITE_SINGLE_REG:
731 return tvb_get_guint8(tvb, 2) + 5; /* Reported size does not include 2 header, 1 size byte, 2 CRC16 bytes */
733 case WRITE_MULT_REGS: /* Response messages of FC15/16 are always 8 bytes */
734 case WRITE_MULT_COILS:
738 return tvb_captured_length(tvb); /* Fall back on tvb length */
741 case CANNOT_CLASSIFY :
743 return tvb_captured_length(tvb); /* Fall back on tvb length */
750 /* Code to dissect Modbus/TCP messages */
752 dissect_mbtcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
755 /* Make sure there's at least enough data to determine it's a Modbus TCP packet */
756 if (!tvb_bytes_exist(tvb, 0, 8))
759 /* check that it actually looks like Modbus/TCP */
760 /* protocol id == 0 */
761 if(tvb_get_ntohs(tvb, 2) != 0 ){
764 /* length is at least 2 (unit_id + function_code) */
765 if(tvb_get_ntohs(tvb, 4) < 2 ){
769 /* build up protocol tree and iterate over multiple packets */
770 tcp_dissect_pdus(tvb, pinfo, tree, mbtcp_desegment, 6,
771 get_mbtcp_pdu_len, dissect_mbtcp_pdu, data);
773 return tvb_captured_length(tvb);
777 dissect_mbudp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
780 /* Make sure there's at least enough data to determine it's a Modbus UDP packet */
781 if (!tvb_bytes_exist(tvb, 0, 8))
784 /* check that it actually looks like Modbus/TCP */
785 /* protocol id == 0 */
786 if(tvb_get_ntohs(tvb, 2) != 0 ){
789 /* length is at least 2 (unit_id + function_code) */
790 if(tvb_get_ntohs(tvb, 4) < 2 ){
794 /* Make entries in Protocol column on summary display */
795 col_set_str(pinfo->cinfo, COL_PROTOCOL, "Modbus/UDP");
796 col_clear(pinfo->cinfo, COL_INFO);
798 return dissect_mbtcp_pdu_common(tvb, pinfo, tree, proto_mbudp, global_mbus_udp_port);
801 /* Code to dissect Modbus RTU over TCP messages */
803 dissect_mbrtu(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
806 /* Make sure there's at least enough data to determine it's a Modbus packet */
807 /* 5 bytes is the smallest possible valid message (exception response) */
808 if (!tvb_bytes_exist(tvb, 0, 5))
811 /* For Modbus RTU mode, confirm that the first byte is a valid address (non-zero), */
812 /* so we can eliminate false-posititves on Modbus TCP messages loaded as RTU */
813 if(tvb_get_guint8(tvb, 0) == 0 )
816 /* build up protocol tree and iterate over multiple packets */
817 tcp_dissect_pdus(tvb, pinfo, tree, mbrtu_desegment, 5,
818 get_mbrtu_pdu_len, dissect_mbrtu_pdu, data);
820 return tvb_captured_length(tvb);
824 dissect_mbrtu_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data _U_)
827 /* Make sure there's at least enough data to determine it's a Modbus packet */
828 /* 5 bytes is the smallest possible valid message (exception response) */
829 if (tvb_reported_length(tvb) < 5)
832 return dissect_mbrtu_pdu_common(tvb, pinfo, tree, global_mbus_udp_rtu_port);
836 /* Code to allow further dissection of Modbus data payload */
837 /* Common to both Modbus/TCP and Modbus RTU dissectors */
839 dissect_modbus_data(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, guint8 function_code,
840 gint payload_start, gint payload_len, gint register_format, guint16 reg_base)
842 gint reported_len, data_offset;
845 guint16 data16, modflt_lo, modflt_hi, reg_num=reg_base;
846 guint32 data32, modflt_comb;
847 gfloat data_float, modfloat;
848 proto_item *register_item = NULL;
851 reported_len = tvb_reported_length_remaining(tvb, payload_start);
854 if ( payload_start < 0 || ( payload_len + payload_start ) == 0 )
857 /* If calculated length from remaining tvb data != bytes in packet, do not attempt to decode */
858 if ( payload_len != reported_len ) {
859 proto_tree_add_item(tree, hf_modbus_data, tvb, payload_start, reported_len, ENC_NA);
863 /* If data type of payload is Holding or Input registers */
865 /* if payload length is not a multiple of 4, don't attempt to decode anything in 32-bit format */
866 if ((function_code == READ_HOLDING_REGS) || (function_code == READ_INPUT_REGS) || (function_code == WRITE_MULT_REGS)) {
867 if ((payload_len % 4 != 0) && ( (register_format == MODBUS_PREF_REGISTER_FORMAT_UINT32) ||
868 (register_format == MODBUS_PREF_REGISTER_FORMAT_IEEE_FLOAT) ||
869 (register_format == MODBUS_PREF_REGISTER_FORMAT_MODICON_FLOAT) ) ) {
870 register_item = proto_tree_add_item(tree, hf_modbus_data, tvb, payload_start, payload_len, ENC_NA);
871 expert_add_info(pinfo, register_item, &ei_modbus_data_decode);
876 /* Build a new tvb containing just the data payload */
877 next_tvb = tvb_new_subset(tvb, payload_start, payload_len, reported_len);
879 switch ( function_code ) {
881 case READ_HOLDING_REGS:
882 case READ_INPUT_REGS:
883 case WRITE_MULT_REGS:
884 while (data_offset < payload_len) {
885 /* Use "Preferences" options to determine decoding format of register data, as no format is implied by the protocol itself. */
886 /* Based on a standard register size of 16-bits, use decoding format preference to step through each register and display */
887 /* it in an appropriate fashion. */
888 switch (register_format) {
889 case MODBUS_PREF_REGISTER_FORMAT_UINT16: /* Standard-size unsigned integer 16-bit register */
890 data16 = tvb_get_ntohs(next_tvb, data_offset);
891 proto_tree_add_uint_format(tree, hf_modbus_reg16, next_tvb, data_offset, 2, reg_num,
892 "Register %u (UINT16): %u", reg_num, data16);
896 case MODBUS_PREF_REGISTER_FORMAT_INT16: /* Standard-size signed integer 16-bit register */
897 data16s = tvb_get_ntohs(next_tvb, data_offset);
898 proto_tree_add_uint_format(tree, hf_modbus_reg16, next_tvb, data_offset, 2, reg_num,
899 "Register %u (INT16): %d", reg_num, data16s);
903 case MODBUS_PREF_REGISTER_FORMAT_UINT32: /* Double-size unsigned integer 2 x 16-bit registers */
904 data32 = tvb_get_ntohl(next_tvb, data_offset);
905 proto_tree_add_uint_format(tree, hf_modbus_reg32, next_tvb, data_offset, 4, reg_num,
906 "Register %u (UINT32): %u", reg_num, data32);
910 case MODBUS_PREF_REGISTER_FORMAT_INT32: /* Double-size signed integer 2 x 16-bit registers */
911 data32s = tvb_get_ntohl(next_tvb, data_offset);
912 proto_tree_add_uint_format(tree, hf_modbus_reg32, next_tvb, data_offset, 4, reg_num,
913 "Register %u (INT32): %d", reg_num, data32s);
917 case MODBUS_PREF_REGISTER_FORMAT_IEEE_FLOAT: /* IEEE Floating Point, 2 x 16-bit registers */
918 data_float = tvb_get_ntohieee_float(next_tvb, data_offset);
920 proto_tree_add_uint_format(tree, hf_modbus_reg32, next_tvb, data_offset, 4, reg_num,
921 "Register %u (IEEE Float): %f", reg_num, data_float);
925 case MODBUS_PREF_REGISTER_FORMAT_MODICON_FLOAT: /* Modicon Floating Point (word-swap), 2 x 16-bit registers */
926 /* Modicon-style Floating Point values are stored in reverse-word order. */
927 /* ie: a standard IEEE float value 59.991459 is equal to 0x426ff741 */
928 /* while the Modicon equivalent to this value is 0xf741426f */
929 /* To re-assemble a proper IEEE float, we must retrieve the 2 x 16-bit words, bit-shift the */
930 /* "hi" component by 16-bits and then OR them together into a combined 32-bit int. */
931 /* Following that operation, use some memcpy magic to copy the 4 raw data bytes from the */
932 /* 32-bit integer into a standard float. Not sure if there is a cleaner way possible using */
933 /* the Wireshark libraries, but this seems to work OK. */
935 modflt_lo = tvb_get_ntohs(next_tvb, data_offset);
936 modflt_hi = tvb_get_ntohs(next_tvb, data_offset+2);
937 modflt_comb = (guint32)(modflt_hi<<16) | modflt_lo;
938 memcpy(&modfloat, &modflt_comb, 4);
940 proto_tree_add_uint_format(tree, hf_modbus_reg32, next_tvb, data_offset, 4, reg_num,
941 "Register %u (Modicon Float): %f", reg_num, modfloat);
946 /* Avoid any chance of an infinite loop */
947 data_offset = payload_len;
949 } /* register format switch */
956 if ( ! dissector_try_string(modbus_data_dissector_table, "data", next_tvb, pinfo, tree, NULL) )
957 proto_tree_add_item(tree, hf_modbus_data, tvb, payload_start, payload_len, ENC_NA);
962 /* Code to dissect Modbus request message */
964 dissect_modbus_request(tvbuff_t *tvb, packet_info *pinfo, proto_tree *modbus_tree, guint8 function_code, gint payload_start, gint payload_len)
966 proto_tree *group_tree;
967 gint byte_cnt, group_offset, ii;
968 gint register_format = MODBUS_PREF_REGISTER_FORMAT_UINT16; /* Default value for register formatting.. */
970 guint16 reg_base=0, diagnostic_code;
971 guint32 group_byte_cnt, group_word_cnt;
973 modbus_conversation *conv;
975 /* See if we have any context */
976 conv = (modbus_conversation *)p_get_proto_data(wmem_file_scope(), pinfo, proto_modbus, 0);
979 register_format = conv->register_format;
982 switch (function_code) {
985 case READ_DISCRETE_INPUTS:
986 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
987 proto_tree_add_item(modbus_tree, hf_modbus_bitcnt, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
990 case READ_HOLDING_REGS:
991 case READ_INPUT_REGS:
992 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
993 proto_tree_add_item(modbus_tree, hf_modbus_wordcnt, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
996 case WRITE_SINGLE_COIL:
997 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
998 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 2, 1, register_format, reg_base);
999 proto_tree_add_item(modbus_tree, hf_modbus_padding, tvb, payload_start + 3, 1, ENC_NA);
1002 case WRITE_SINGLE_REG:
1003 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1004 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 2, 2, register_format, reg_base);
1007 case READ_EXCEPT_STAT:
1012 diagnostic_code = tvb_get_ntohs(tvb, payload_start);
1013 proto_tree_add_uint(modbus_tree, hf_modbus_diag_sf, tvb, payload_start, 2, diagnostic_code);
1014 switch(diagnostic_code)
1016 case RETURN_QUERY_DATA:
1017 if (payload_len > 2)
1018 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_query_data_request, tvb, payload_start+2, payload_len-2, ENC_NA);
1020 case RESTART_COMMUNICATION_OPTION:
1021 proto_tree_add_item(modbus_tree, hf_modbus_diag_restart_communication_option, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1023 case CHANGE_ASCII_INPUT_DELIMITER:
1024 proto_tree_add_item(modbus_tree, hf_modbus_diag_ascii_input_delimiter, tvb, payload_start+2, 1, ENC_BIG_ENDIAN);
1026 case RETURN_DIAGNOSTIC_REGISTER: /* 00 00 Data Field */
1027 case FORCE_LISTEN_ONLY_MODE: /* 00 00 Data Field */
1028 case CLEAR_COUNTERS_AND_DIAG_REG: /* 00 00 Data Field */
1029 case RETURN_BUS_MESSAGE_COUNT: /* 00 00 Data Field */
1030 case RETURN_BUS_COMM_ERROR_COUNT: /* 00 00 Data Field */
1031 case RETURN_BUS_EXCEPTION_ERROR_COUNT: /* 00 00 Data Field */
1032 case RETURN_SLAVE_MESSAGE_COUNT: /* 00 00 Data Field */
1033 case RETURN_SLAVE_NO_RESPONSE_COUNT: /* 00 00 Data Field */
1034 case RETURN_SLAVE_NAK_COUNT: /* 00 00 Data Field */
1035 case RETURN_SLAVE_BUSY_COUNT: /* 00 00 Data Field */
1036 case RETURN_BUS_CHAR_OVERRUN_COUNT: /* 00 00 Data Field */
1037 case CLEAR_OVERRUN_COUNTER_AND_FLAG:
1039 if (payload_len > 2)
1040 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start+2, payload_len-2, register_format, reg_base);
1044 case WRITE_MULT_COILS:
1045 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1046 proto_tree_add_item(modbus_tree, hf_modbus_bitcnt, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
1047 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start + 4);
1048 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start + 4, 1, byte_cnt);
1049 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 5, byte_cnt, register_format, reg_base);
1052 case WRITE_MULT_REGS:
1053 reg_base = tvb_get_ntohs(tvb, payload_start);
1054 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1055 proto_tree_add_item(modbus_tree, hf_modbus_wordcnt, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
1056 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start + 4);
1057 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start + 4, 1, byte_cnt);
1058 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 5, byte_cnt, register_format, reg_base);
1061 case READ_FILE_RECORD:
1062 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start);
1063 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start, 1,
1066 /* add subtrees to describe each group of packet */
1067 group_offset = payload_start + 1;
1068 for (ii = 0; ii < byte_cnt / 7; ii++) {
1069 group_tree = proto_tree_add_subtree_format( modbus_tree, tvb, group_offset, 7,
1070 ett_group_hdr, NULL, "Group %u", ii);
1071 proto_tree_add_item(group_tree, hf_modbus_reftype, tvb, group_offset, 1, ENC_BIG_ENDIAN);
1072 proto_tree_add_item(group_tree, hf_modbus_lreference, tvb, group_offset + 1, 4, ENC_BIG_ENDIAN);
1073 proto_tree_add_item(group_tree, hf_modbus_wordcnt, tvb, group_offset + 5, 2, ENC_BIG_ENDIAN);
1078 case WRITE_FILE_RECORD:
1079 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start);
1080 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start, 1, byte_cnt);
1082 /* add subtrees to describe each group of packet */
1083 group_offset = payload_start + 1;
1085 while (byte_cnt > 0) {
1086 group_word_cnt = tvb_get_ntohs(tvb, group_offset + 5);
1087 group_byte_cnt = (2 * group_word_cnt) + 7;
1088 group_tree = proto_tree_add_subtree_format( modbus_tree, tvb, group_offset,
1089 group_byte_cnt, ett_group_hdr, NULL, "Group %u", ii);
1090 proto_tree_add_item(group_tree, hf_modbus_reftype, tvb, group_offset, 1, ENC_BIG_ENDIAN);
1091 proto_tree_add_item(group_tree, hf_modbus_lreference, tvb, group_offset + 1, 4, ENC_BIG_ENDIAN);
1092 proto_tree_add_uint(group_tree, hf_modbus_wordcnt, tvb, group_offset + 5, 2, group_word_cnt);
1093 dissect_modbus_data(tvb, pinfo, group_tree, function_code, group_offset + 7, group_byte_cnt - 7, register_format, reg_base);
1094 group_offset += group_byte_cnt;
1095 byte_cnt -= group_byte_cnt;
1100 case MASK_WRITE_REG:
1101 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1102 proto_tree_add_item(modbus_tree, hf_modbus_andmask, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
1103 proto_tree_add_item(modbus_tree, hf_modbus_ormask, tvb, payload_start + 4, 2, ENC_BIG_ENDIAN);
1106 case READ_WRITE_REG:
1107 proto_tree_add_item(modbus_tree, hf_modbus_readref, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1108 proto_tree_add_item(modbus_tree, hf_modbus_readwordcnt, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
1109 proto_tree_add_item(modbus_tree, hf_modbus_writeref, tvb, payload_start + 4, 2, ENC_BIG_ENDIAN);
1110 proto_tree_add_item(modbus_tree, hf_modbus_writewordcnt, tvb, payload_start + 6, 2, ENC_BIG_ENDIAN);
1111 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start + 8);
1112 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start + 8, 1, byte_cnt);
1113 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 9, byte_cnt, register_format, reg_base);
1116 case READ_FIFO_QUEUE:
1117 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1120 case ENCAP_INTERFACE_TRANSP:
1121 proto_tree_add_item(modbus_tree, hf_modbus_mei, tvb, payload_start, 1, ENC_BIG_ENDIAN);
1122 mei_code = tvb_get_guint8(tvb, payload_start);
1125 case READ_DEVICE_ID:
1126 proto_tree_add_item(modbus_tree, hf_modbus_read_device_id, tvb, payload_start+1, 1, ENC_BIG_ENDIAN);
1127 proto_tree_add_item(modbus_tree, hf_modbus_object_id, tvb, payload_start+2, 1, ENC_BIG_ENDIAN);
1130 case CANOPEN_REQ_RESP:
1131 /* CANopen protocol not part of the Modbus/TCP specification */
1133 if (payload_len > 1)
1134 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start, payload_len-1, register_format, reg_base);
1140 case REPORT_SLAVE_ID:
1142 if (payload_len > 0)
1143 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start, payload_len, register_format, reg_base);
1146 } /* Function Code */
1148 return tvb_captured_length(tvb);
1151 /* Code to dissect Modbus Response message */
1153 dissect_modbus_response(tvbuff_t *tvb, packet_info *pinfo, proto_tree *modbus_tree, guint8 function_code, gint payload_start, gint payload_len)
1156 proto_tree *group_tree, *event_tree, *event_item_tree, *device_objects_tree, *device_objects_item_tree;
1158 gint byte_cnt, group_offset, event_index, object_index, object_len, num_objects, ii;
1159 gint register_format = MODBUS_PREF_REGISTER_FORMAT_UINT16; /* Default value for register formatting.. */
1160 guint8 object_type, mei_code, event_code;
1161 guint16 reg_base=0, diagnostic_code;
1162 guint32 group_byte_cnt, group_word_cnt;
1164 /* Conversation tracking */
1165 proto_item *request_frame_item;
1166 modbus_conversation *conv;
1167 guint8 req_function_code;
1168 guint32 req_frame_num;
1169 gboolean request_found = FALSE;
1170 modbus_request_info_t *request_data;
1172 /* See if we have any context */
1173 conv = (modbus_conversation *)p_get_proto_data(wmem_file_scope(), pinfo, proto_modbus, 0);
1177 wmem_list_frame_t *frame = wmem_list_head(conv->modbus_request_frame_data);
1178 /* Step backward through all logged instances of request frames, looking for a request frame number that
1179 occurred immediately prior to current frame number that has a matching function code */
1180 while (frame && !request_found) {
1181 request_data = (modbus_request_info_t *)wmem_list_frame_data(frame);
1182 req_frame_num = request_data->fnum;
1183 req_function_code = request_data->function_code;
1184 if ((pinfo->num > req_frame_num) && (req_function_code == function_code)) {
1185 request_frame_item = proto_tree_add_uint(modbus_tree, hf_modbus_request_frame, tvb, 0, 0, req_frame_num);
1186 reg_base = request_data->base_address;
1187 PROTO_ITEM_SET_GENERATED(request_frame_item);
1188 request_found = TRUE;
1190 frame = wmem_list_frame_next(frame);
1193 register_format = conv->register_format;
1196 switch (function_code) {
1199 case READ_DISCRETE_INPUTS:
1200 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start);
1201 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start, 1, byte_cnt);
1202 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 1, byte_cnt, register_format, reg_base);
1205 case READ_HOLDING_REGS:
1206 case READ_INPUT_REGS:
1207 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start);
1208 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start, 1, byte_cnt);
1209 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 1, byte_cnt, register_format, reg_base);
1212 case WRITE_SINGLE_COIL:
1213 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1214 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 2, 1, register_format, reg_base);
1215 proto_tree_add_item(modbus_tree, hf_modbus_padding, tvb, payload_start + 3, 1, ENC_NA);
1218 case WRITE_SINGLE_REG:
1219 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1220 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 2, 2, register_format, reg_base);
1223 case READ_EXCEPT_STAT:
1224 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start, 1, register_format, reg_base);
1228 diagnostic_code = tvb_get_ntohs(tvb, payload_start);
1229 proto_tree_add_uint(modbus_tree, hf_modbus_diag_sf, tvb, payload_start, 2, diagnostic_code);
1230 switch(diagnostic_code)
1232 case RETURN_QUERY_DATA: /* Echo of Request */
1233 if (payload_len > 2)
1234 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_query_data_echo, tvb, payload_start+2, payload_len-2, ENC_NA);
1236 case RESTART_COMMUNICATION_OPTION: /* Echo of Request */
1237 proto_tree_add_item(modbus_tree, hf_modbus_diag_restart_communication_option, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1239 case RETURN_DIAGNOSTIC_REGISTER:
1240 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_diag_register, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1242 case CHANGE_ASCII_INPUT_DELIMITER: /* XXX - Do we expect this to ever be a response? */
1243 proto_tree_add_item(modbus_tree, hf_modbus_diag_ascii_input_delimiter, tvb, payload_start+2, 1, ENC_BIG_ENDIAN);
1245 case CLEAR_COUNTERS_AND_DIAG_REG: /* Echo of Request */
1246 proto_tree_add_item(modbus_tree, hf_modbus_diag_clear_ctr_diag_reg, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1248 case RETURN_BUS_MESSAGE_COUNT:
1249 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_bus_message_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1251 case RETURN_BUS_COMM_ERROR_COUNT:
1252 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_bus_comm_error_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1254 case RETURN_BUS_EXCEPTION_ERROR_COUNT:
1255 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_bus_exception_error_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1257 case RETURN_SLAVE_MESSAGE_COUNT:
1258 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_slave_message_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1260 case RETURN_SLAVE_NO_RESPONSE_COUNT:
1261 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_no_slave_response_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1263 case RETURN_SLAVE_NAK_COUNT:
1264 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_slave_nak_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1266 case RETURN_SLAVE_BUSY_COUNT:
1267 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_slave_busy_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1269 case RETURN_BUS_CHAR_OVERRUN_COUNT:
1270 proto_tree_add_item(modbus_tree, hf_modbus_diag_return_bus_char_overrun_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1272 case CLEAR_OVERRUN_COUNTER_AND_FLAG: /* Echo of Request */
1273 case FORCE_LISTEN_ONLY_MODE: /* No response anticipated */
1275 if (payload_len > 2)
1276 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start+2, payload_len-2, register_format, reg_base);
1278 } /* diagnostic_code */
1281 case GET_COMM_EVENT_CTRS:
1282 proto_tree_add_item(modbus_tree, hf_modbus_status, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1283 proto_tree_add_item(modbus_tree, hf_modbus_event_count, tvb, payload_start+2, 2, ENC_BIG_ENDIAN);
1286 case GET_COMM_EVENT_LOG:
1287 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start);
1288 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start, 1, byte_cnt);
1289 proto_tree_add_item(modbus_tree, hf_modbus_status, tvb, payload_start+1, 2, ENC_BIG_ENDIAN);
1290 proto_tree_add_item(modbus_tree, hf_modbus_event_count, tvb, payload_start+3, 2, ENC_BIG_ENDIAN);
1291 proto_tree_add_item(modbus_tree, hf_modbus_message_count, tvb, payload_start+5, 2, ENC_BIG_ENDIAN);
1292 if (byte_cnt-6 > 0) {
1295 event_tree = proto_tree_add_subtree(modbus_tree, tvb, payload_start+7, byte_cnt, ett_events, NULL, "Events");
1296 while (byte_cnt > 0) {
1297 event_code = tvb_get_guint8(tvb, payload_start+7+event_index);
1298 if (event_code == 0) {
1299 proto_tree_add_uint_format(event_tree, hf_modbus_event, tvb, payload_start+7+event_index, 1, event_code, "Initiated Communication Restart");
1301 else if (event_code == 4) {
1302 proto_tree_add_uint_format(event_tree, hf_modbus_event, tvb, payload_start+7+event_index, 1, event_code, "Entered Listen Only Mode");
1304 else if (event_code & REMOTE_DEVICE_RECV_EVENT_MASK) {
1305 mei = proto_tree_add_uint_format(event_tree, hf_modbus_event, tvb, payload_start+7+event_index, 1,
1306 event_code, "Receive Event: 0x%02X", event_code);
1307 event_item_tree = proto_item_add_subtree(mei, ett_events_recv);
1309 /* add subtrees to describe each event bit */
1310 proto_tree_add_item(event_item_tree, hf_modbus_event_recv_comm_err,
1311 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1312 proto_tree_add_item(event_item_tree, hf_modbus_event_recv_char_over,
1313 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1314 proto_tree_add_item(event_item_tree, hf_modbus_event_recv_lo_mode,
1315 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1316 proto_tree_add_item(event_item_tree, hf_modbus_event_recv_broadcast,
1317 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1319 else if ((event_code & REMOTE_DEVICE_SEND_EVENT_MASK) == REMOTE_DEVICE_SEND_EVENT_VALUE) {
1320 mei = proto_tree_add_uint_format(event_tree, hf_modbus_event, tvb, payload_start+7+event_index, 1,
1321 event_code, "Send Event: 0x%02X", event_code);
1322 event_item_tree = proto_item_add_subtree(mei, ett_events_send);
1324 /* add subtrees to describe each event bit */
1325 proto_tree_add_item(event_item_tree, hf_modbus_event_send_read_ex,
1326 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1327 proto_tree_add_item(event_item_tree, hf_modbus_event_send_slave_abort_ex,
1328 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1329 proto_tree_add_item(event_item_tree, hf_modbus_event_send_slave_busy_ex,
1330 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1331 proto_tree_add_item(event_item_tree, hf_modbus_event_send_slave_nak_ex,
1332 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1333 proto_tree_add_item(event_item_tree, hf_modbus_event_send_write_timeout,
1334 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1335 proto_tree_add_item(event_item_tree, hf_modbus_event_send_lo_mode,
1336 tvb, payload_start+7+event_index, 1, ENC_LITTLE_ENDIAN );
1339 proto_tree_add_uint_format(event_tree, hf_modbus_event, tvb, payload_start+7+event_index, 1, event_code, "Unknown Event");
1348 case WRITE_MULT_COILS:
1349 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1350 proto_tree_add_item(modbus_tree, hf_modbus_bitcnt, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
1353 case WRITE_MULT_REGS:
1354 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1355 proto_tree_add_item(modbus_tree, hf_modbus_wordcnt, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
1358 case READ_FILE_RECORD:
1359 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start);
1360 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start, 1,
1363 /* add subtrees to describe each group of packet */
1364 group_offset = payload_start + 1;
1366 while (byte_cnt > 0) {
1367 group_byte_cnt = (guint32)tvb_get_guint8(tvb, group_offset);
1368 group_tree = proto_tree_add_subtree_format( modbus_tree, tvb, group_offset, group_byte_cnt + 1,
1369 ett_group_hdr, NULL, "Group %u", ii);
1370 proto_tree_add_uint(group_tree, hf_modbus_bytecnt, tvb, group_offset, 1,
1372 proto_tree_add_item(group_tree, hf_modbus_reftype, tvb, group_offset + 1, 1, ENC_BIG_ENDIAN);
1373 dissect_modbus_data(tvb, pinfo, group_tree, function_code, group_offset + 2, group_byte_cnt - 1, register_format, reg_base);
1374 group_offset += (group_byte_cnt + 1);
1375 byte_cnt -= (group_byte_cnt + 1);
1380 case WRITE_FILE_RECORD: /* Normal response is echo of request */
1381 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start);
1382 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start, 1, byte_cnt);
1384 /* add subtrees to describe each group of packet */
1385 group_offset = payload_start + 1;
1387 while (byte_cnt > 0) {
1388 group_word_cnt = tvb_get_ntohs(tvb, group_offset + 5);
1389 group_byte_cnt = (2 * group_word_cnt) + 7;
1390 group_tree = proto_tree_add_subtree_format( modbus_tree, tvb, group_offset,
1391 group_byte_cnt, ett_group_hdr, NULL, "Group %u", ii);
1392 proto_tree_add_item(group_tree, hf_modbus_reftype, tvb, group_offset, 1, ENC_BIG_ENDIAN);
1393 proto_tree_add_item(group_tree, hf_modbus_lreference, tvb, group_offset + 1, 4, ENC_BIG_ENDIAN);
1394 proto_tree_add_uint(group_tree, hf_modbus_wordcnt, tvb, group_offset + 5, 2, group_word_cnt);
1395 dissect_modbus_data(tvb, pinfo, group_tree, function_code, group_offset + 7, group_byte_cnt - 7, register_format, reg_base);
1396 group_offset += group_byte_cnt;
1397 byte_cnt -= group_byte_cnt;
1402 case MASK_WRITE_REG: /* Normal response is echo of request */
1403 proto_tree_add_item(modbus_tree, hf_modbus_reference, tvb, payload_start, 2, ENC_BIG_ENDIAN);
1404 proto_tree_add_item(modbus_tree, hf_modbus_andmask, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
1405 proto_tree_add_item(modbus_tree, hf_modbus_ormask, tvb, payload_start + 4, 2, ENC_BIG_ENDIAN);
1408 case READ_WRITE_REG:
1409 byte_cnt = (guint32)tvb_get_guint8(tvb, payload_start);
1410 proto_tree_add_uint(modbus_tree, hf_modbus_bytecnt, tvb, payload_start, 1, byte_cnt);
1411 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 1, byte_cnt, register_format, reg_base);
1414 case READ_FIFO_QUEUE:
1415 byte_cnt = (guint32)tvb_get_ntohs(tvb, payload_start);
1416 proto_tree_add_uint(modbus_tree, hf_modbus_lbytecnt, tvb, payload_start, 2, byte_cnt);
1417 proto_tree_add_item(modbus_tree, hf_modbus_wordcnt, tvb, payload_start + 2, 2, ENC_BIG_ENDIAN);
1418 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start + 4, byte_cnt - 2, register_format, reg_base);
1421 case ENCAP_INTERFACE_TRANSP:
1422 proto_tree_add_item(modbus_tree, hf_modbus_mei, tvb, payload_start, 1, ENC_BIG_ENDIAN);
1423 mei_code = tvb_get_guint8(tvb, payload_start);
1426 case READ_DEVICE_ID:
1427 proto_tree_add_item(modbus_tree, hf_modbus_read_device_id, tvb, payload_start+1, 1, ENC_BIG_ENDIAN);
1428 proto_tree_add_item(modbus_tree, hf_modbus_conformity_level, tvb, payload_start+2, 1, ENC_BIG_ENDIAN);
1429 proto_tree_add_item(modbus_tree, hf_modbus_more_follows, tvb, payload_start+3, 1, ENC_BIG_ENDIAN);
1430 proto_tree_add_item(modbus_tree, hf_modbus_next_object_id, tvb, payload_start+4, 1, ENC_BIG_ENDIAN);
1431 num_objects = tvb_get_guint8(tvb, payload_start+5);
1432 proto_tree_add_uint(modbus_tree, hf_modbus_num_objects, tvb, payload_start+5, 1, num_objects);
1433 device_objects_tree = proto_tree_add_subtree(modbus_tree, tvb, payload_start+6, payload_len-6,
1434 ett_device_id_objects, NULL, "Objects");
1437 for (ii = 0; ii < num_objects; ii++)
1439 /* add each "object item" as its own subtree */
1441 /* compute length of object */
1442 object_type = tvb_get_guint8(tvb, payload_start+6+object_index);
1443 object_len = tvb_get_guint8(tvb, payload_start+6+object_index+1);
1445 device_objects_item_tree = proto_tree_add_subtree_format(device_objects_tree, tvb, payload_start+6+object_index, 2+object_len,
1446 ett_device_id_object_items, NULL, "Object #%d", ii+1);
1448 proto_tree_add_item(device_objects_item_tree, hf_modbus_object_id, tvb, payload_start+6+object_index, 1, ENC_BIG_ENDIAN);
1451 proto_tree_add_uint(device_objects_item_tree, hf_modbus_list_object_len, tvb, payload_start+6+object_index, 1, object_len);
1454 if (object_type < 7)
1456 proto_tree_add_item(device_objects_item_tree, hf_modbus_object_str_value, tvb, payload_start+6+object_index, object_len, ENC_ASCII|ENC_NA);
1461 proto_tree_add_item(device_objects_item_tree, hf_modbus_object_value, tvb, payload_start+6+object_index, object_len, ENC_NA);
1463 object_index += object_len;
1467 case CANOPEN_REQ_RESP:
1468 /* CANopen protocol not part of the Modbus/TCP specification */
1470 if (payload_len > 1)
1471 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start, payload_len-1, register_format, reg_base);
1476 case REPORT_SLAVE_ID:
1478 if (payload_len > 0)
1479 dissect_modbus_data(tvb, pinfo, modbus_tree, function_code, payload_start, payload_len, register_format, reg_base);
1482 } /* function code */
1484 return tvb_captured_length(tvb);
1488 /* Dissect the Modbus Payload. Called from either Modbus/TCP or Modbus RTU Dissector */
1490 dissect_modbus(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
1492 proto_tree *modbus_tree;
1495 int* packet_type = (int*)data;
1496 gint payload_start, payload_len, len;
1497 guint8 function_code, exception_code;
1499 /* Reject the packet if data passed from the mbrtu or mbtcp dissector is NULL */
1500 if (packet_type == NULL)
1503 len = tvb_captured_length(tvb);
1505 /* If the packet is zero-length, we should not attempt to dissect any further */
1509 /* Add items to protocol tree specific to Modbus */
1510 mi = proto_tree_add_protocol_format(tree, proto_modbus, tvb, offset, len, "Modbus");
1511 modbus_tree = proto_item_add_subtree(mi, ett_modbus_hdr);
1513 function_code = tvb_get_guint8(tvb, offset) & 0x7F;
1514 proto_tree_add_item(modbus_tree, hf_modbus_functioncode, tvb, offset, 1, ENC_BIG_ENDIAN);
1516 /* Conversation support */
1517 if (!pinfo->fd->flags.visited) {
1518 conversation_t *conversation = NULL;
1519 modbus_conversation *modbus_conv_data = NULL;
1521 /* Find a conversation, create a new if no one exists */
1522 conversation = find_or_create_conversation(pinfo);
1523 modbus_conv_data = (modbus_conversation *)conversation_get_proto_data(conversation, proto_modbus);
1525 if (modbus_conv_data == NULL){
1526 modbus_conv_data = wmem_new(wmem_file_scope(), modbus_conversation);
1527 modbus_conv_data->modbus_request_frame_data = wmem_list_new(wmem_file_scope());
1528 modbus_conv_data->register_format = global_mbus_register_format;
1529 conversation_add_proto_data(conversation, proto_modbus, (void *)modbus_conv_data);
1532 p_add_proto_data(wmem_file_scope(), pinfo, proto_modbus, 0, modbus_conv_data);
1534 if (*packet_type == QUERY_PACKET) {
1535 /*create the modbus_request frame. It holds the request information.*/
1536 modbus_request_info_t *frame_ptr = wmem_new(wmem_file_scope(), modbus_request_info_t);
1538 /* load information into the modbus request frame */
1539 frame_ptr->fnum = pinfo->num;
1540 frame_ptr->function_code = function_code;
1541 frame_ptr->base_address = tvb_get_ntohs(tvb, 1);
1542 frame_ptr->num_reg = tvb_get_ntohs(tvb, 3);
1544 wmem_list_prepend(modbus_conv_data->modbus_request_frame_data, frame_ptr);
1549 /* Find exception - last bit set in function code */
1550 if (tvb_get_guint8(tvb, offset) & 0x80 ) {
1551 exception_code = tvb_get_guint8(tvb, offset+1);
1557 payload_start = offset + 1;
1558 payload_len = len - 1;
1560 if (exception_code != 0) {
1561 proto_item_set_text(mi, "Function %u: %s. Exception: %s",
1563 val_to_str_const(function_code, function_code_vals, "Unknown Function"),
1564 val_to_str(exception_code,
1565 exception_code_vals,
1566 "Unknown Exception Code (%u)"));
1567 proto_tree_add_uint(modbus_tree, hf_modbus_exceptioncode, tvb, payload_start, 1,
1572 /* Follow different dissection path depending on whether packet is query or response */
1573 if (*packet_type == QUERY_PACKET) {
1574 dissect_modbus_request(tvb, pinfo, modbus_tree, function_code, payload_start, payload_len);
1576 else if (*packet_type == RESPONSE_PACKET) {
1577 dissect_modbus_response(tvb, pinfo, modbus_tree, function_code, payload_start, payload_len);
1582 return tvb_captured_length(tvb);
1586 apply_mbtcp_prefs(void)
1588 /* Modbus/RTU uses the port preference to determine request/response */
1589 pref_t *tcp_port = prefs_find_preference(prefs_find_module("mbtcp"), "tcp.port");
1590 pref_t *udp_port = prefs_find_preference(prefs_find_module("mbudp"), "udp.port");
1592 global_mbus_tcp_port = *tcp_port->varp.uint;
1593 global_mbus_udp_port = *udp_port->varp.uint;
1597 apply_mbrtu_prefs(void)
1599 /* Modbus/RTU uses the port preference to determine request/response */
1600 pref_t *rtu_tcp_port = prefs_find_preference(prefs_find_module("mbrtu"), "tcp.port");
1601 pref_t *rtu_udp_port = prefs_find_preference(prefs_find_module("mbrtu"), "udp.port");
1603 global_mbus_tcp_rtu_port = *rtu_tcp_port->varp.uint;
1604 global_mbus_udp_rtu_port = *rtu_udp_port->varp.uint;
1607 /* Register the protocol with Wireshark */
1609 proto_register_modbus(void)
1611 /* Modbus/TCP header fields */
1612 static hf_register_info mbtcp_hf[] = {
1613 { &hf_mbtcp_transid,
1614 { "Transaction Identifier", "mbtcp.trans_id",
1615 FT_UINT16, BASE_DEC, NULL, 0x0,
1619 { "Protocol Identifier", "mbtcp.prot_id",
1620 FT_UINT16, BASE_DEC, NULL, 0x0,
1624 { "Length", "mbtcp.len",
1625 FT_UINT16, BASE_DEC, NULL, 0x0,
1629 { "Unit Identifier", "mbtcp.unit_id",
1630 FT_UINT8, BASE_DEC, NULL, 0x0,
1635 static ei_register_info mbtcp_ei[] = {
1636 { &ei_mbtcp_cannot_classify,
1637 { "mbtcp.cannot_classify", PI_PROTOCOL, PI_WARN,
1638 "Cannot classify packet type. Try setting Modbus/TCP Port preference to this destination or source port", EXPFILL }
1642 /* Modbus RTU header fields */
1643 static hf_register_info mbrtu_hf[] = {
1645 { "Unit ID", "mbrtu.unit_id",
1646 FT_UINT8, BASE_DEC, NULL, 0x0,
1650 { "CRC-16", "mbrtu.crc16",
1651 FT_UINT16, BASE_HEX, NULL, 0x0,
1654 { &hf_mbrtu_crc16_status,
1655 { "CRC-16 Status", "mbrtu.crc16.status",
1656 FT_UINT8, BASE_NONE, VALS(proto_checksum_vals), 0x0,
1661 static ei_register_info mbrtu_ei[] = {
1662 { &ei_mbrtu_crc16_incorrect,
1663 { "mbrtu.crc16.incorrect", PI_CHECKSUM, PI_WARN,
1664 "Incorrect CRC", EXPFILL }
1668 /* Modbus header fields */
1669 static hf_register_info hf[] = {
1670 { &hf_modbus_request_frame,
1671 { "Request Frame", "modbus.request_frame",
1672 FT_FRAMENUM, BASE_NONE,
1676 { &hf_modbus_functioncode,
1677 { "Function Code", "modbus.func_code",
1678 FT_UINT8, BASE_DEC, VALS(function_code_vals), 0x7F,
1681 { &hf_modbus_reference,
1682 { "Reference Number", "modbus.reference_num",
1683 FT_UINT16, BASE_DEC, NULL, 0x0,
1686 { &hf_modbus_padding,
1687 { "Padding", "modbus.padding",
1688 FT_UINT8, BASE_HEX, NULL, 0x0,
1691 { &hf_modbus_lreference,
1692 { "Reference Number (32 bit)", "modbus.reference_num_32",
1693 FT_UINT32, BASE_DEC, NULL, 0x0,
1696 { &hf_modbus_reftype,
1697 { "Reference Type", "modbus.reference_type",
1698 FT_UINT8, BASE_DEC, NULL, 0x0,
1701 { &hf_modbus_readref,
1702 { "Read Reference Number", "modbus.read_reference_num",
1703 FT_UINT16, BASE_DEC, NULL, 0x0,
1706 { &hf_modbus_writeref,
1707 { "Write Reference Number", "modbus.write_reference_num",
1708 FT_UINT16, BASE_DEC, NULL, 0x0,
1711 { &hf_modbus_wordcnt,
1712 { "Word Count", "modbus.word_cnt",
1713 FT_UINT16, BASE_DEC, NULL, 0x0,
1716 { &hf_modbus_readwordcnt,
1717 { "Read Word Count", "modbus.read_word_cnt",
1718 FT_UINT16, BASE_DEC, NULL, 0x0,
1721 { &hf_modbus_writewordcnt,
1722 { "Write Word Count", "modbus.write_word_cnt",
1723 FT_UINT16, BASE_DEC, NULL, 0x0,
1726 { &hf_modbus_bitcnt,
1727 { "Bit Count", "modbus.bit_cnt",
1728 FT_UINT16, BASE_DEC, NULL, 0x0,
1731 { &hf_modbus_bytecnt,
1732 { "Byte Count", "modbus.byte_cnt",
1733 FT_UINT8, BASE_DEC, NULL, 0x0,
1736 { &hf_modbus_lbytecnt,
1737 { "Byte Count (16-bit)", "modbus.byte_cnt_16",
1738 FT_UINT8, BASE_DEC, NULL, 0x0,
1741 { &hf_modbus_exceptioncode,
1742 { "Exception Code", "modbus.exception_code",
1743 FT_UINT8, BASE_DEC, VALS(exception_code_vals), 0x0,
1746 { &hf_modbus_diag_sf,
1747 { "Diagnostic Code", "modbus.diagnostic_code",
1748 FT_UINT16, BASE_DEC, VALS(diagnostic_code_vals), 0x0,
1751 { &hf_modbus_diag_return_query_data_request,
1752 { "Request Data", "modbus.diagnostic.return_query_data.request",
1753 FT_BYTES, BASE_NONE, NULL, 0x0,
1756 { &hf_modbus_diag_return_query_data_echo,
1757 { "Echo Data", "modbus.diagnostic.return_query_data.echo",
1758 FT_BYTES, BASE_NONE, NULL, 0x0,
1761 { &hf_modbus_diag_restart_communication_option,
1762 { "Restart Communication Option", "modbus.diagnostic.restart_communication_option",
1763 FT_UINT16, BASE_HEX, VALS(diagnostic_restart_communication_option_vals), 0x0,
1766 { &hf_modbus_diag_return_diag_register,
1767 { "Diagnostic Register Contents", "modbus.diagnostic.return_diag_register",
1768 FT_UINT16, BASE_HEX, NULL, 0x0,
1771 { &hf_modbus_diag_ascii_input_delimiter,
1772 { "CHAR", "modbus.diagnostic.ascii_input_delimiter",
1773 FT_UINT8, BASE_HEX, NULL, 0x0,
1776 { &hf_modbus_diag_clear_ctr_diag_reg,
1777 { "Clear Counters & Diag Register Echo", "modbus.diagnostic.clear_ctr_diag_reg",
1778 FT_UINT16, BASE_DEC, NULL, 0x0,
1781 { &hf_modbus_diag_return_bus_message_count,
1782 { "Total Message Count", "modbus.diagnostic.bus_message_count",
1783 FT_UINT16, BASE_DEC, NULL, 0x0,
1786 { &hf_modbus_diag_return_bus_comm_error_count,
1787 { "CRC Error Count", "modbus.diagnostic.bus_comm_error_count",
1788 FT_UINT16, BASE_DEC, NULL, 0x0,
1791 { &hf_modbus_diag_return_bus_exception_error_count,
1792 { "Exception Error Count", "modbus.diagnostic.bus_exception_error_count",
1793 FT_UINT16, BASE_DEC, NULL, 0x0,
1796 { &hf_modbus_diag_return_slave_message_count,
1797 { "Slave Message Count", "modbus.diagnostic.slave_message_count",
1798 FT_UINT16, BASE_DEC, NULL, 0x0,
1801 { &hf_modbus_diag_return_no_slave_response_count,
1802 { "Slave No Response Count", "modbus.diagnostic.no_slave_response_count",
1803 FT_UINT16, BASE_DEC, NULL, 0x0,
1806 { &hf_modbus_diag_return_slave_nak_count,
1807 { "Slave NAK Count", "modbus.diagnostic.slave_nak_count",
1808 FT_UINT16, BASE_DEC, NULL, 0x0,
1811 { &hf_modbus_diag_return_slave_busy_count,
1812 { "Slave Device Busy Count", "modbus.diagnostic.slave_busy_count",
1813 FT_UINT16, BASE_DEC, NULL, 0x0,
1816 { &hf_modbus_diag_return_bus_char_overrun_count,
1817 { "Slave Character Overrun Count", "modbus.diagnostic.bus_char_overrun_count",
1818 FT_UINT16, BASE_DEC, NULL, 0x0,
1821 { &hf_modbus_status,
1822 { "Status", "modbus.ev_status",
1823 FT_UINT16, BASE_HEX, NULL, 0x0,
1827 { "Event", "modbus.event",
1828 FT_UINT8, BASE_DEC, NULL, 0x0,
1831 { &hf_modbus_event_count,
1832 { "Event Count", "modbus.ev_count",
1833 FT_UINT16, BASE_DEC, NULL, 0x0,
1836 { &hf_modbus_message_count,
1837 { "Message Count", "modbus.ev_msg_count",
1838 FT_UINT16, BASE_DEC, NULL, 0x0,
1841 { &hf_modbus_event_recv_comm_err,
1842 { "Communication Error", "modbus.ev_recv_comm_err",
1843 FT_UINT8, BASE_DEC, NULL, 0x02,
1846 { &hf_modbus_event_recv_char_over,
1847 { "Character Overrun", "modbus.ev_recv_char_over",
1848 FT_UINT8, BASE_DEC, NULL, 0x10,
1851 { &hf_modbus_event_recv_lo_mode,
1852 { "Currently in Listen Only Mode", "modbus.ev_recv_lo_mode",
1853 FT_UINT8, BASE_DEC, NULL, 0x20,
1856 { &hf_modbus_event_recv_broadcast,
1857 { "Broadcast Received", "modbus.ev_recv_broadcast",
1858 FT_UINT8, BASE_DEC, NULL, 0x40,
1861 { &hf_modbus_event_send_read_ex,
1862 { "Read Exception Sent", "modbus.ev_send_read_ex",
1863 FT_UINT8, BASE_DEC, NULL, 0x01,
1866 { &hf_modbus_event_send_slave_abort_ex,
1867 { "Slave Abort Exception Sent", "modbus.ev_send_slave_abort_ex",
1868 FT_UINT8, BASE_DEC, NULL, 0x02,
1871 { &hf_modbus_event_send_slave_busy_ex,
1872 { "Slave Busy Exception Sent", "modbus.ev_send_slave_busy_ex",
1873 FT_UINT8, BASE_DEC, NULL, 0x04,
1876 { &hf_modbus_event_send_slave_nak_ex,
1877 { "Slave Program NAK Exception Sent", "modbus.ev_send_slave_nak_ex",
1878 FT_UINT8, BASE_DEC, NULL, 0x08,
1881 { &hf_modbus_event_send_write_timeout,
1882 { "Write Timeout Error Occurred", "modbus.ev_send_write_timeout",
1883 FT_UINT8, BASE_DEC, NULL, 0x10,
1886 { &hf_modbus_event_send_lo_mode,
1887 { "Currently in Listen Only Mode", "modbus.ev_send_lo_mode",
1888 FT_UINT8, BASE_DEC, NULL, 0x20,
1891 { &hf_modbus_andmask,
1892 { "AND mask", "modbus.and_mask",
1893 FT_UINT16, BASE_HEX, NULL, 0x0,
1896 { &hf_modbus_ormask,
1897 { "OR mask", "modbus.or_mask",
1898 FT_UINT16, BASE_HEX, NULL, 0x0,
1902 { "Data", "modbus.data",
1903 FT_BYTES, BASE_NONE, NULL, 0x0, NULL, HFILL }
1906 { "MEI type", "modbus.mei",
1907 FT_UINT8, BASE_DEC, VALS(encap_interface_code_vals), 0x0,
1910 { &hf_modbus_read_device_id,
1911 { "Read Device ID", "modbus.read_device_id",
1912 FT_UINT8, BASE_DEC, VALS(read_device_id_vals), 0x0,
1915 { &hf_modbus_object_id,
1916 { "Object ID", "modbus.object_id",
1917 FT_UINT8, BASE_DEC, VALS(object_id_vals), 0x0,
1920 { &hf_modbus_num_objects,
1921 { "Number of Objects", "modbus.num_objects",
1922 FT_UINT8, BASE_DEC, NULL, 0x0,
1925 { &hf_modbus_list_object_len,
1926 { "Object length", "modbus.objects_len",
1927 FT_UINT8, BASE_DEC, NULL, 0x0,
1930 { &hf_modbus_conformity_level,
1931 { "Conformity Level", "modbus.conformity_level",
1932 FT_UINT8, BASE_HEX, VALS(conformity_level_vals), 0x0,
1935 { &hf_modbus_more_follows,
1936 { "More Follows", "modbus.more_follows",
1937 FT_UINT8, BASE_HEX, NULL, 0x0,
1940 { &hf_modbus_next_object_id,
1941 { "Next Object ID", "modbus.next_object_id",
1942 FT_UINT8, BASE_DEC, NULL, 0x0,
1945 { &hf_modbus_object_str_value,
1946 { "Object String Value", "modbus.object_str_value",
1947 FT_STRING, BASE_NONE, NULL, 0x0,
1950 { &hf_modbus_object_value,
1951 { "Object Value", "modbus.object_value",
1952 FT_BYTES, BASE_NONE, NULL, 0x0,
1956 { "Register Value (16-bit)", "modbus.reg16",
1957 FT_UINT16, BASE_DEC, NULL, 0x0,
1961 { "Register Value (32-bit)", "modbus.reg32",
1962 FT_UINT32, BASE_DEC, NULL, 0x0,
1967 /* Setup protocol subtree array */
1968 static gint *ett[] = {
1976 &ett_device_id_objects,
1977 &ett_device_id_object_items
1980 static ei_register_info ei[] = {
1981 { &ei_modbus_data_decode,
1982 { "modbus.data.decode", PI_PROTOCOL, PI_WARN,
1983 "Invalid decoding options, register data not a multiple of 4!", EXPFILL }
1986 module_t *mbtcp_module;
1987 module_t *mbrtu_module;
1988 module_t *modbus_module;
1989 expert_module_t* expert_mbtcp;
1990 expert_module_t* expert_mbrtu;
1991 expert_module_t* expert_modbus;
1993 /* Register the protocol name and description */
1994 proto_mbtcp = proto_register_protocol("Modbus/TCP", "Modbus/TCP", "mbtcp");
1995 proto_mbudp = proto_register_protocol("Modbus/UDP", "Modbus/UDP", "mbudp");
1996 proto_mbrtu = proto_register_protocol("Modbus RTU", "Modbus RTU", "mbrtu");
1997 proto_modbus = proto_register_protocol("Modbus", "Modbus", "modbus");
1999 /* Registering protocol to be called by another dissector */
2000 modbus_handle = register_dissector("modbus", dissect_modbus, proto_modbus);
2001 mbtcp_handle = register_dissector("mbtcp", dissect_mbtcp, proto_mbtcp);
2002 mbrtu_handle = register_dissector("mbrtu", dissect_mbrtu, proto_mbrtu);
2003 mbudp_handle = register_dissector("mbudp", dissect_mbudp, proto_mbudp);
2005 /* Registering subdissectors table */
2006 modbus_data_dissector_table = register_dissector_table("modbus.data", "Modbus Data", proto_modbus, FT_STRING, BASE_NONE);
2007 modbus_dissector_table = register_dissector_table("mbtcp.prot_id", "Modbus/TCP protocol identifier", proto_mbtcp, FT_UINT16, BASE_DEC);
2009 /* Required function calls to register the header fields and subtrees used */
2010 proto_register_field_array(proto_mbtcp, mbtcp_hf, array_length(mbtcp_hf));
2011 proto_register_field_array(proto_mbrtu, mbrtu_hf, array_length(mbrtu_hf));
2012 proto_register_field_array(proto_modbus, hf, array_length(hf));
2013 proto_register_subtree_array(ett, array_length(ett));
2014 expert_mbtcp = expert_register_protocol(proto_mbtcp);
2015 expert_register_field_array(expert_mbtcp, mbtcp_ei, array_length(mbtcp_ei));
2016 expert_mbrtu = expert_register_protocol(proto_mbrtu);
2017 expert_register_field_array(expert_mbrtu, mbrtu_ei, array_length(mbrtu_ei));
2018 expert_modbus = expert_register_protocol(proto_modbus);
2019 expert_register_field_array(expert_modbus, ei, array_length(ei));
2022 /* Register required preferences for Modbus Protocol variants */
2023 mbtcp_module = prefs_register_protocol(proto_mbtcp, apply_mbtcp_prefs);
2024 mbrtu_module = prefs_register_protocol(proto_mbrtu, apply_mbrtu_prefs);
2025 modbus_module = prefs_register_protocol(proto_modbus, NULL);
2027 /* Modbus RTU Preference - Desegment, defaults to TRUE for TCP desegmentation */
2028 prefs_register_bool_preference(mbtcp_module, "desegment",
2029 "Desegment all Modbus RTU packets spanning multiple TCP segments",
2030 "Whether the Modbus RTU dissector should desegment all messages spanning multiple TCP segments",
2033 /* Modbus RTU Preference - Desegment, defaults to TRUE for TCP desegmentation */
2034 prefs_register_bool_preference(mbrtu_module, "desegment",
2035 "Desegment all Modbus RTU packets spanning multiple TCP segments",
2036 "Whether the Modbus RTU dissector should desegment all messages spanning multiple TCP segments",
2039 /* Modbus RTU Preference - CRC verification, defaults to FALSE (no verification)*/
2040 prefs_register_bool_preference(mbrtu_module, "crc_verification",
2042 "Whether to validate the CRC",
2045 /* Modbus Preference - Holding/Input Register format, this allows for deeper dissection of response data */
2046 prefs_register_enum_preference(modbus_module, "mbus_register_format",
2047 "Holding/Input Register Format",
2049 &global_mbus_register_format,
2050 mbus_register_format,
2053 /* Obsolete Preferences */
2054 prefs_register_obsolete_preference(mbtcp_module, "mbus_register_addr_type");
2055 prefs_register_obsolete_preference(mbtcp_module, "mbus_register_format");
2056 prefs_register_obsolete_preference(mbrtu_module, "mbus_register_addr_type");
2057 prefs_register_obsolete_preference(mbrtu_module, "mbus_register_format");
2062 /* If this dissector uses sub-dissector registration add a registration routine.
2063 This format is required because a script is used to find these routines and
2064 create the code that calls these routines.
2067 proto_reg_handoff_mbtcp(void)
2069 dissector_add_uint_with_preference("tcp.port", PORT_MBTCP, mbtcp_handle);
2070 dissector_add_uint_with_preference("udp.port", PORT_MBTCP, mbudp_handle);
2072 dissector_add_uint("mbtcp.prot_id", MODBUS_PROTOCOL_ID, modbus_handle);
2077 proto_reg_handoff_mbrtu(void)
2079 dissector_handle_t mbrtu_udp_handle = create_dissector_handle(dissect_mbrtu_udp, proto_mbrtu);
2081 /* Make sure to use Modbus RTU Preferences field to determine default TCP port */
2082 dissector_add_for_decode_as_with_preference("udp.port", mbrtu_udp_handle);
2083 dissector_add_for_decode_as_with_preference("tcp.port", mbrtu_handle);
2085 dissector_add_uint("mbtcp.prot_id", MODBUS_PROTOCOL_ID, modbus_handle);
2086 dissector_add_for_decode_as("rtacser.data", mbrtu_handle);
2096 * indent-tabs-mode: nil
2099 * ex: set shiftwidth=4 tabstop=8 expandtab:
2100 * :indentSize=4:tabSize=8:noTabs=true:
git.samba.org / metze / wireshark / wip.git / blob