Hello,
I'm working with some packet traces from the NLANR Passive Measurement &
Analysis (PMA) project that have packets truncated as part of their
trace anonymization process.
In one sample from the NLANR PMA site at Purdue (attached), there is
some traffic that ethereal classifies as Modbus/TCP. I don't think this
is actually Modbus traffic as all the protocol fields are zero so, for
example, the function code of zero is an "Unknown function", etc.
I've included all the traffic from the trace involving the hosts with
supposed Modbus traffic in case it helps with the analysis. A display
filter of "tcp.port==502" will show the candidate Modbus packets.
I'm not certain this is a bug, but ideally it seems that the Modbus
dissector in ethereal would check the values in the various Modbus
fields to make sure they're valid known function codes, etc., before
classifying the packet as Modbus/TCP.
Thoughts?
Thanks,
Scott
__
Scott Waddell
Research Engineer
Critical Infrastructure Assurance Group (CIAG)
Cisco Systems, Inc.
swaddell@xxxxxxxxx
512-378-1230
Attachment:
maybe-modbus.pcap
Description: maybe-modbus.pcap
