0x01 Preface
In the previous article, we learned and summarized some theoretical basis related to the Modbus protocol. In this article, we will conduct a practical analysis of the Modbus protocol by building a Modbus simulation environment.
Protocol analysis environment:
- ModbusPoll: Used to emulate Modbus master or Modbus client
- ModbusSlave: Used to emulate Modbus slave or Modbus server
- Configure Virtual Serial Port Driver: VSPD for short, used to create a virtual serial port for the computer
- CommMonitor: serial monitoring wizard, capable of monitoring serial data transmission
software download:
- ModbusPol, ModbusSlave, VSPD download: https://pan.baidu.com/s/1vQiGP-AIYxShcZhbxbctTg Extraction code: dqeg
- CommMonitor download: http://www.ceiwei.com/mt/
0x02 Use VSPD to create a new serial port
Under normal circumstances, Modbus protocol debugging requires more than two computers to be connected online for debugging. But after using VSPD, we can analyze Modbus communication on a host computer by creating a virtual serial port on a computer.
The installation process is all the way to next. After the installation is complete, there will be more prompts to crack the software.
Open the software page as follows, the right side is the function location of the new serial port operation, we choose two larger serial port numbers to add, as shown in the figure below:
Click Add, and successfully see the added virtual serial port information on the left page:
In order to verify whether the addition is successful, you can find the viewing port in this computer->management->device manager, as shown in the figure below, it is successfully added.
0x03 Create a new ModBus serial port connection
The ModBus Slave software installation process is all the way to next. After the installation is complete, open the input and it can be used normally.
After opening, create a new connection, Connection—>Connection, prompt to enter the key, enter the secret key provided in the software package, and then OK all the way to the following page, set the connection information as shown in the figure, pay attention to the content marked in the red box, connect the serial port Select the serial port just added by VSPD.
The installation and opening operation of ModBus Poll is the same as that of ModBus Slave, except that when selecting a serial port, select the created one and it will be OK.
The master-slave site has established a connection, you need to set the master-slave site, click Setup --> Definition: function 03 in the menu bar, and keep the register information, which is the same for the master station and the slave station, as shown in the figure below:
After the master-slave is set up, you can double-click the address of a line of the register of the slave (Slave), then enter the data, and check the option to automatically increase the value to let it increase automatically every second:
Then check whether the value of the register is read in the master station. If it is read, it means that the connection between the master and slave stations is successful.
0x04 Use CommMonitor for analysis
For installation, CommMonitor serial port monitoring supports WinXP, Win7, Win10, Win11, 32/64-bit operating systems, which can be installed by default.
After opening the software, we need to monitor the serial port, here we choose the serial port COM21, because we click on the serial port of the master station to select COM21, the data is mainly initiated from the master station, and the slave station responds, and since all data will pass through two serial ports, So you only need to monitor one of them.
In terms of serial port monitoring settings, select ModBUs view, MOdbus RTU mode, which corresponds to our connection method.
After the serial port monitoring is set up, we can see the real-time transmission data in the serial port. The basic situation is as follows:
As shown in the figure, the Modbus protocol has been analyzed, and the function code 0x03 indicates that it is requesting to read the value of the holding register. The address requested to be read is 0x00, the read length is 0x0A, and the check code is 0xC5CD.
The parsing result of the response packet from the slave station is shown in the figure below: the response code in the result indicates that the register data of the slave station was read successfully.
Then we modify the data on the master station and send it to the slave station:
Let's take a look at the ModBus protocol data again. The following figure is our request packet. It can be seen that the function code is 0x06, that is, writing a single holding register, and the value to be written is 222:
Look at the content of the response packet again, the function code in the response packet is also 0x06, indicating that the writing is successful:
0x05 Use Wireshark to capture and analyze
First of all, let’s talk about the difference in environment settings: when creating a new connection, whether it is a master station or a slave station, it is necessary to set the transmission protocol to Modbus TCP/IP, and set the connection port to the same, as shown in the figure below:
After setting up the connection, refer to the above method to set the data self-growth on the slave station, and then open wireshark to capture packets, as shown in the following figure is one of the request packets:
The specific analysis is as follows:
byte[0] byte[1]: 00 76 为消息号,随机指定,返回数据包的消息号的和请求数据包的消息号相同
byte[2] byte[3]: 00 00 为modbus强制标识
byte[4] byte[5]: 00 06 modbus报文的长度,往后数,一共也是6个字节,能够正确对应
byte[6]: 01 为从站编号
byte[7]: 03 功能码,标识读取保持线圈寄存器的值
byte[8] byte[9]: modbus将要读取的保持寄存器的起始地址
byte[10] byte[11]:modbus将要读取的保持寄存器的个数
Let's look at the response package again:
The specific analysis of the response packet is as follows:
byte[0] byte[1]: 00 76 为消息号,与请求包相同
byte[2] byte[3]: 00 00 为modbus强制标识
byte[4] byte[5]: 00 17 modbus报文的长度,往后数,一共也是23个字节,能够正确对应
byte[6]: 01 为从站编号
byte[7]: 03 功能码,与请求包的功能码相同
byte[8]:读取到的数据长度的总长度,往后数一共20个byte,与之对于。
byte[9] byte[10]:第一个保持寄存器的数据,2个byte
byte[11] byte[12]:第二个保持寄存器的数据,2个byte,此处为00 41 ,也就是65
byte[13] byte[14]:第二个保持寄存器的数据,2个byte
........
byte[27] byte[28]:第10个保持寄存器的数据,2个byte
0x06 Reference article
- https://blog.csdn.net/as480133937/article/details/123219425
- https://baijiahao.baidu.com/s?id=1728421275380437231&wfr=spider&for=pc
- https://www.likecs.com/show-94474.html