Modbus parser enhancement


As per Modbus Application Protocol Specification V1.1b3, there is a Force Listen Only Mode,

In this case there will be function code and sub function code. This mode is used for diagnostics purposes by the master.

This field support is missing in zeek.

I have checked that it is there in suricata modbus parser.

Any specific reason for not supporting it here in zeek? It will be helpful if zeek can add this in its parser and expose it as an event.

There are few more fields which are missing here in zeek modbus parser, I will update those in this thread .

@awelzel if you get time please look into this.


Looking at the spec, it says “08 (0x08) Diagnostics (Serial Line only)”. Guess the assumption was that isn’t seen over TCP/IP.

Do you have a pcap with function code 8 being used over TCP/IP that you could share?

Hi @awelzel ,
Please refer [Func code 0x8] (networking - Interpreting Response for Modbus/TCP function code 0x08 Diagnostics - Reverse Engineering Stack Exchange) for details.

It is one of the func code in modbus/tcp protocol used by client or master device to query server or client device. Client devices can be serial line devices which responds back with one of the sub function code as stated in the below link Page 22


Hey - I had found that post which is why I had been wondering if you have a pcap.

I did just run into this pcap and filtering with “modbus.func_code == 8” shows a few request/responses.

We likely can’t use that pcap in the testing suite, so if you have smaller traffic samples that you can share and allow us to include that would be very helpful.

EDIT: This is the same pcap we have in testing/ in the Zeek repo, so we have testing data.

Feel free to open a GitHub issue with the request.


1 Like

Besides getting function and sub function code,( func code 0x8 and func code 0x2B has sub function code support)

  1. we may need to support the way to get pdu length in case of read file record ( func code 0x14)

  2. MBAP(modbus applucation PDU) header’s transaction ID, data length, execution code, address if any etc.

  3. There should be support extracting delimeter from PDU in case of func code 0x8 and sub function code 0x01

  4. For file related access ( read or write), we need to extract File number, therefore if we know the function code, there should be option to get all possible values it returns alongside . ( eg.
    If FC == 43 and sub FC == 14 :
    Source address = extract from PDU)