It is one of the func code in modbus/tcp protocol used by client or master device to query server or client device. Client devices can be serial line devices which responds back with one of the sub function code as stated in the below link Page 22
Hey - I had found that post which is why I had been wondering if you have a pcap.
I did just run into this pcap and filtering with “modbus.func_code == 8” shows a few request/responses.
We likely can’t use that pcap in the testing suite, so if you have smaller traffic samples that you can share and allow us to include that would be very helpful.
EDIT: This is the same pcap we have in testing/ in the Zeek repo, so we have testing data.
Feel free to open a GitHub issue with the request.
Hi,
Besides getting function and sub function code,( func code 0x8 and func code 0x2B has sub function code support)
we may need to support the way to get pdu length in case of read file record ( func code 0x14)
MBAP(modbus applucation PDU) header’s transaction ID, data length, execution code, address if any etc.
There should be support extracting delimeter from PDU in case of func code 0x8 and sub function code 0x01
For file related access ( read or write), we need to extract File number, therefore if we know the function code, there should be option to get all possible values it returns alongside . ( eg.
If FC == 43 and sub FC == 14 :
Source address = extract from PDU)