[Wireshark-bugs] [Bug 15698] New: [Modbus] Wrong register number shown in responses

Mon, 15 Apr 2019 19:11:39 -0700 

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15698

            Bug ID: 15698
           Summary: [Modbus] Wrong register number shown in responses
           Product: Wireshark
           Version: 3.0.0
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: Minor
          Priority: Low
         Component: Dissection engine (libwireshark)
          Assignee: bugzilla-ad...@wireshark.org
          Reporter: adam.wiresh...@shikadi.net
  Target Milestone: ---

Created attachment 17054
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17054&action=edit
Example packet capture

Build Information:
Compiled (64-bit) with Qt 5.12.2, with libpcap, with POSIX capabilities
(Linux), with libnl 3, with GLib 2.60.0, with zlib 1.2.11, without SMI, with
c-ares 1.15.0, with Lua 5.2.4, with GnuTLS 3.6.6 and PKCS #11 support, with
Gcrypt 1.8.4, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.36.0,
with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with SBC, with
SpanDSP, with bcg729. 
Running on Linux 4.17.12-arch1-1-ARCH, with Intel(R) Xeon(R) CPU E5-2665 0 @
2.40GHz (with SSE4.2), with 15964 MB of physical memory, with locale
LC_CTYPE=en_AU.UTF-8, LC_NUMERIC=en_AU.UTF-8, LC_TIME=en_DK.UTF-8,
LC_COLLATE=C, LC_MONETARY=en_AU.UTF-8, LC_MESSAGES=en_AU.UTF-8,
LC_PAPER=en_AU.UTF-8, LC_NAME=en_AU.UTF-8, LC_ADDRESS=en_AU.UTF-8,
LC_TELEPHONE=en_AU.UTF-8, LC_MEASUREMENT=en_AU.UTF-8,
LC_IDENTIFICATION=en_AU.UTF-8, with libpcap version 1.9.0-PRE-GIT (with
TPACKET_V3), with GnuTLS 3.6.7, with Gcrypt 1.8.4, with zlib 1.2.11, binary
plugins supported (14 loaded). Built using gcc 8.2.1 20181127. 
--
If a Modbus/TCP request packet has multiple messages, when the responses come
in, the wrong register numbers are shown.  For example, the attached sample
capture shows:

 * Packet 36: Query numbers 5, 6 and 7
 * Packet 37: Response to query 5, but registers shown are from query 7
(29203/29204) instead of query 5 (20803/20804)
 * Packet 39: Response to queries 6 and 7, but both registers again shown from
query 7 (29203/29204) instead of query 6 (29201/29202) and query 7 (which is
now correct here).

It seems that when the dissector looks at a response packet, it correctly
matches it to the request packet and retrieves the register numbers from there.
 But once it finds the packet it assumes there is only one request in it,
grabbing the last register numbers, rather than looking for the matching query
number first.

-- 
You are receiving this mail because:
You are watching all bug changes.
___________________________________________________________________________
Sent via:    Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
             mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe

Reply via email to