How to Read Modbus Protocol Using Wireshark

By Matthew Loong

What is Modbus?

Modbus was first published in 1979 by Modicon (the company that sold the very first PLC). Modicon has since been bought by Schneider Electric, which continues to develop the protocol. It is one of the most popular industrial protocols in the world today.

There are three main varieties of Modbus - Modbus RTU, Modbus ASCII and Modbus TCP. The first two are serial protocols, that means they are primarily used on asynchronous data lines like RS-232 and RS485, whereas Modbus TCP is used primarily on Ethernet networks. I have created a table below to summarize the main differences between serial fieldbus and industrial Ethernet.

The respective frame formats of Modbus TCP and Modbus RTU can be seen below. For Modbus RTU, it starts off with the slave ID; Modbus is a master and slave protocol, that means the designated master device will poll the slave device(s) for data and the slave device(s) will respond. The slave ID is followed by a function code. A table of function codes can also be seen below. Basically coils are reserved for discrete inputs and outputs (bits), while registers are reserved for analog inputs and outputs (words, 1 word = 16 bits). After that is the data payload and a cyclic redundancy check (CRC), which acts like a checksum. Modbus TCP has an additional Modbus Application (MBAP) header before being encapsulated into the TCP/IP frame. The transaction ID is set by the master, protocol ID is always 00 00 for Modbus, length is the number of bytes that follow, and the unit id is the device that the master is polling.

Source: IPC2U

In this article, we will examine a packet capture of Modbus TCP communication.

Packet Analysis Using Wireshark

Setting Up

The pcap file used for this article can be downloaded from the link below.

1. First Poll from Master to Slave

From the screenshot above, we can see that the master's IP address is 192.168.110.131 while the slave IP address is 192.168.110.138. The master communicates over TCP port 2074 to destination port 502 (designated for Modbus TCP). We can also see the SEQ and ACK numbers of each packet.

In the first packet, we can see that the master polls a slave with unit ID of 1 to read the holding register with reference number 1.

2. First Reply from Slave to Master

In the second packet, the slave replies to the master that the value in register 1 is 0. This value can represent operational information such as pressure, current, voltage, temperature, or any other analog data.

3. Second Poll from Master to Slave

In the third packet, the master consecutively polls the same slave, this time to read the holding register with reference number 0.

4. Second Reply from Slave to Master

In the fourth packet, the slave replies to the master, this time the value in register 0 is 16840 (hex 41c8).

This polling cycle repeats every second.

Cyber Security Implications

It is important for cyber security personnel protecting OT systems to have a good understanding of ICS protocols such as Modbus. This enables them to identify anomalous behaviors or malicious packets embedded. In fact, machine learning and artificial intelligence can be leveraged to notify the operator if there is any unusual patterns in polling time intervals, the slave that the master is polling, the register being read or the data itself.

Another concern about traditional ICS protocols is that all information, from the device ID, to the function code, to the payload, are all in cleartext for anyone with a parser to see. Similarly, if an attacker wants to spoof communication or conduct a replay attack, he can do so without authentication. Furthermore, although there is now Secure Modbus with encryption, it is only available for Modbus TCP, and it is not yet widely adopted, especially by legacy serial communication systems. With digitalization, ICS will become more interconnected and open with. Hence, these are gaps that we as part of the ICS community need to improve on.