Parsing Modbus packet with Function code 15

Vishak_Muthukumar · May 14, 2014, 10:08am

Hi,

I am having a problem in parsing the modbus packet with function code 15.

I have a trace file which has a write request to write to coil 0.

But when I monitor that trace file in my bro script, I cannot see the coil value. It says the size of the coil vector is empty.

The command I use to run the bro script is -

PREFIX/bin/bro -C -r

I checked the tracefile in the wireshark to make sure that the packets have the coil data.

I have attached the trace file and the bro script.

Thanks

trace (3.09 KB)

write_multiple.bro (1003 Bytes)

robin · May 14, 2014, 2:40pm

Iirc, the analyzer doesn't further extract coil values yet.

Robin

Seth_Hall3 · May 14, 2014, 4:24pm

I was unable to find traffic that dealt with coils so I left that out. Most of the infrastructure is in place however. Vishak, can we use the traffic you submitted in our test suite if it works out when we look at it?

.Seth

Vishak_Muthukumar · May 14, 2014, 4:40pm

Hi Seth Hall,

Sure, please go ahead and use the traffic.

Thanks for your quick responses.

Vishak

Hui_Lin · May 14, 2014, 4:54pm

Hi Seth,

If we want to extract the value such as coil value from Modbus analyzer, do we need to redeclare the event handler included in event.bif? I saw that you use the “this” pointer to represent the whole payload message. I might need to use the Modbus analyzer in another project later.

Thanks,

Best,

Hui Lin

Topic		Replies	Views
Modbus protocol event handler for Bro Zeek	2	72	May 6, 2022
Bro - File Extraction Zeek	2	73	May 6, 2022
Bug analyzing trace with payload stripped Zeek	1	69	May 6, 2022
Modbus protocol event handler for Bro Zeek	2	74	May 6, 2022
Partial tcpdump traces Zeek	2	58	May 6, 2022

Parsing Modbus packet with Function code 15

Related Topics