monitoring tcp traffic between 2 modbus devices

M

Thread Starter

Mikey

I've got a small network setup at a customer site: wireless modem, linksys router, and then a modbus controller with 3 slaves. One of the slaves is not communicating with the master - no response is the error code I get on the master. I have used a modbus tcp/ip tool and have verified that the slave is transmitting the data, so I suspect the controller.

What I'd like to do is connect my laptop again as a node, and just watch the traffic between my controller's attempted queries (like a 3rd party observer) to try and pinpoint the problem. Are there any software tools out there that can do that (ie monitor traffic between other devices, NOT have your pc simulate master and or slave). I've tried wireshark, but I can only seem to get it to read traffic to and from my laptop.
 
P
A useful tool to diagnose problems on Ethernet networks is Wireshark (formerly Ethereal, see http://www.wireshark.org/). It will allow you to see requests, responses, and data within these messages.

In order to connect your laptop as a node and see this traffic, you may needs some extra hardware. Remember that Ethernet switches segment traffic, so even if you connect your laptop to the switch ports on the router, you won't see unicast (point-to-point) traffic of other devices.

You'll need to find an Ethernet "hub" or a "managed" switch that supports "port mirroring". This will let you eavesdrop on the connected devices.

Paul...
 
Paul,
Thanks for the reply. I've got a Sixnet managed remote access switch that I am connecting on the lan as well. I configured the port mirroring, but I still can't see the traffic. Am I missing something else? I've tried wireshark with promiscuous mode both on and off, no luck. Very frustrating.....

-Mike
 
C
from first post:
>I have used a modbus tcp/ip tool and have verified that the slave is transmitting the data, so I suspect the controller. <

from second post:
>I've got a Sixnet managed remote access switch that I am connecting on the lan as well. I configured the port mirroring, but I still can't see the traffic. <

Those are contradictory statements. You can either see a slave response, or not. What did you use to see the slave response? What did the response look like?

When you used the other tools, were you unable to see any traffic or just a lack of message response from slave in question?

Using the other tools, could you see responses from functioning slaves?

Carl
 
P
> I've got a Sixnet managed remote access switch that I am connecting on the lan as well. I configured the port mirroring, but I still can't see the traffic. Am I missing something else? <

First, make sure you've setup port mirroring properly. You'll need to select which port(s) you would like to listen to, and which port you would like to monitor on. I would suggest that you monitor Tx/Rx on your Modbus/TCP slave, and then connect your laptop/PC to the monitoring port.

As for Wireshark. If this is your first time using it, try some packet captures with your laptop/PC connected to other devices, to make sure you have it working. If you have multiple network adapters on your laptop/PC, like wired and wireless, make sure you're selecting the right interface. Also, there is a lot of great information on the wireshark.org site.

Paul...
 
Let me clarify a little. I cannot get my modbus master to communicate with the slave, but when I connect my laptop as a node on the same lan and run one of those modbus tcp tools, I can read/write to the slave no problem.

I'm trying to watch the communications (or lack thereof) between the master and slave, to try and understand why the slave is not responding to the master (error message is no response), when it does respond to my own prompts from my laptop.

I have since ordered some hardware to test out. It's called a barracudatap. Not sure how this will perform.
 
C
So, the 3rd slave is responding to the Modbus master tool, but not to the customer's Modbus master field client.

Hmmm. If the slave hears its slave ID it should return a response, even if it's an error code. If your Modbus tool can get a response, why can't the customer's master?

Does the customer's Modbus master display or indicate Modbus error codes? Could the command from the master be 'incorrect' for whatever reason and the slave is returning an error that is not evident?

You've checked the query statement in the customer's Modbus master and confirmed that the slave address is correct? The command function is legitimate?

How are you tying in your Modbus tool PC on the LAN? Same switch as the customer Modbus master is connected to? Or into a switch next to the slave? Is the cabling between the customer master and the 3rd slave used in your master tool test?

Are all devices Mobus master, 3 slaves and temporary PC on the same subnet? 192.168.x.xxx? (or whatever . . )

What subnet mask is used on the master and slaves?

Is this 3rd slave separated from the master by a router? A managed switch?

Are all 3 slaves identical devices or different devices?

Carl
 
C
Is the 3rd slave have Modbus TCP natively or is its comm port serial Modbus RTU connected to the LAN through a serial server?

Carl
 
Carl,
Thanks for your reply and questions.
"Hmmm. If the slave hears its slave ID it should return a response, even if it's an error code. If your Modbus tool can get a response, why can't the customer's master?"

This is the million dollar question and why I am pulling out the scarce amount of hair I have.

The master does not display any error messages, other than no response.

I have confirmed all ip adresses are correct in the setup of the modbus calls. All addresses are 192.168.1.xxx, and my netmask is 255.255.255.0

The slaves are all different devices.

Now, I've gone on a bit of a tangent in my troubleshooting. I am attempting to setup a "network analyzer" at my office so that I can use this on site to try and capture the queries from the master to see how it is different from the the queries from the modbus tool that I successfully use from my laptop.

Here is my office setup: Modbus master (same device as used in the field), one slave (different from the field slave, but a known communicator to the master), and my laptop all connected to an ethernet hub. No router, no WAN, just a simple setup. I have confirmed the master and slave are communicating via modbus tcp on the hub, as I am able to open a browser (being on the hub as well) and can see the communications. I start up wireshark, and I get no information from the master or slave. The frustrating thing is, if I launch my modbus tcp tool and communicate to either modbus device, wireshark captures everything. Why is it it will capture modbus communications when it involves my pc, but not from the other devices???

I do not understand why I cannot capture the traffic between the 2 devices in this setup.

If my boss knew how much time I'd spent on this, I think I'd be cleaning out my desk. But I can't turn back now, this has really gotten under my skin...



 
P
> The frustrating thing is, if I launch my modbus tcp tool and communicate to either modbus device, wireshark captures everything. Why is it it will capture modbus communications when it involves my pc, but not from the other devices??? <

Mikey -
If you're only seeing communications to/from your PC, and cannot see the other devices attached to your "hub", it is most likely because your "hub" is really a "switch". Often people use the term interchangeably, but there is a big difference.

With a hub, traffic to/from any attached device, will be seen on any other port. While, with a switch there is logic to limit traffic between only respective devices. So, if you have your PC, Modbus/TCP master and slave plugged into the same switch, and it is not a managed switch with port mirroring configured, your PC will not see traffic between the Modbus/TCP master and slave.

Btw: The barracudatap that you mention appears to be just a 4-port Ethernet hub.

Paul...
 
Paul,

I'm pretty sure it is a hub but I could be wrong. The device is a netgear en104tp. I bought it used from an on-line classifieds. Here's the link to its advertisement--> http://toronto.kijiji.ca/c-buy-and-...etgear-4-port-Ethernet-Hub-W0QQAdIdZ115753945


I'm thinking I have something wrong with my wireshark setup. Because I've tried this same setup with a managed switch that has port mirroring (sixnet), as well as the barracudatap (interesting observation about it, by the way). In every case I've had the same results: cannot see the master poll or the slave respond.

I've looked at the obvious settings in wireshark, ie make sure I've selected the correct interface, tried with/without promiscuous, no filters...is there something else I may be obviously missing??

I've even tried a few other free network analyzers, with the same results.

Not sure what to do next...
 
Most likely caused by timing settings. I would verify the Slave "Turnaround Time" setting for this particular Slave. It could be set to 0 (Zero) meaning it is responding too fast for the Host to finish its poll donw THEN get the starting byte. The other timing issue could be a Host "Timeout" IF THIS particular Slave is transmitting an unusally long message. In this case increase the Host "No Response Timeout" to a longer time.
 
G

Gustavo A. Valero P.

Hi,

I have some little questions and a suggestion in order to solve your problem:

Questions:

1) What if you connect only the 3rd modbus slave (the one with problems) to the master modbus?. Is your controller able to read it with no problem?.

I mean, disconnect the others 2 slaves from your LAN, keep connecting the master and the 3rd slave (the one is not responding) only and try to read data from it? Can you see data without problems from your controller?

2) If so, connect the other slaves one by one and try to read them from controller.
a) Do you have problems reading the 3rd slave now?
b) Do you have problems reading any slave when you have already connected 3 slave devices to your LAN? If so, the problem seems to be that your controller is not able to open/support 3 Modbus TCP connections at the same time.

Months ago I had a similar problem but I was using an I/O concentrator which worked as Master/Slave device simultaneously (Sixnet brand) and sometimes try to read/write it was impossible when 2-3 devices try to access it. By default, its TCP ports are set to 2 (2 ports per every Modbus TCP connection) and when I changed it and set to 6 all mysteries and problems disappeared.

Maybe, it isn't your problem exactly but could help you to find out other causes associate to your trouble.

Good luck.

Saludos.

Gustavo A. Valero P.


 
Gents,
Thanks for your input. I wasn't aware you can change timing settings in modbus tcp queries/responses. I thought this was dictated by the tcp protocol. I'll look into this a bit more.

Gustavo - I tried your suggestion, but no luck.

On the plus side, I am now able to read the modbus traffic (at my office) between a different master and slave. I brought in my personal home laptop and connected it to the hub setup. I was seeing all of the queries and responses between the modbus devices. My only conclusion is that my work laptop has some IT induced filters or barriers that I could not bypass.

Next step is to bring my hub and home laptop to the field, and monitor the traffic from the master and non responsive slave. I'll post back once I've had a chance to analyze the data.
 
Problem resolved. I went back to the field with my ethernet hub and laptop and ran wireshark. It turns out there is an error in the master when only looking for one register (all other devices being polled are looking for multiple registers). As soon as I polled more than one register, everything worked. The Master device manufacturer has told me they will fix the issue.

Thanks again to all for their help!
 
Top