[Bro-Dev] [JIRA] (BIT-875) Modbus REF parameter

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Tue Mar 17 07:52:00 PDT 2015 

     [ https://bro-tracker.atlassian.net/browse/BIT-875?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jon Siwek updated BIT-875:
--------------------------
    Fix Version/s:     (was: 2.4)
                   2.5

> Modbus REF parameter
> --------------------
>
>                 Key: BIT-875
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-875
>             Project: Bro Issue Tracker
>          Issue Type: Task
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: dina
>              Labels: Modbus, REF, analyser,, offset
>             Fix For: 2.5
>
>
> By  Modbus specification, different FC implicitly use different parts of the PLC memory. Looking on the wire only, we do not see this. I think it would be useful to include this knowledge about where is the specific data from a packet supposed to be written in logs immediately.
> For example, fc=3,6,16 work with PLC memory addresses that are >40000, fc=4 work with values 30000-40000. On the wire we only see the REF parameter which is typically 0-10000 (so its a 'local' offset), thus we do not see the memory offset there. This part is implemented in the client by adding different offsets to the REF value in each packet.  (e.g., if fc=3,6,16 use offset 40000 so real_ref=40000+ref). I used these offsets to make logs in the .bro script in my branch. 
> This division of 10000 addresses is sth I see as a practice on forums and some unofficial manuals, but its not defined in the specification. I assume that, based on PLC capacity, there could be different kind of division between different parts of the memory map. 
> I suggest that we make a configuration file that defines the division of PLC memory space and which offsets do specific FCs use. As default, we can put this division which i see as common practice. In specific cases, users can change that config file to do proper remapping.
> Seth, you can find a a bit more about this division (and exact offsets per each FC) here: http://www.simplymodbus.ca/faq.htm



--
This message was sent by Atlassian JIRA
(v6.4-OD-15-055#64014)

More information about the bro-dev mailing list