1 category
— Serial Monitors, Wireshark & Protocol Analyzers
(Module 6 · Troubleshooting & Diagnostics – Mastering Modbus Problem Solving)
Learning objectives
- Select and configure the ideal tool—software or hardware—for any RTU- or TCP-based Modbus troubleshooting task.
- Capture, filter and decode traffic with Wireshark, including timing-sensitive RTU frames brought in via USB taps.
- Leverage serial-monitor utilities (RealTerm, HTerm, PuTTY) to reveal framing gaps, CRC bytes and ASCII payloads.
- Deploy hardware analyzers (logic probes, RS-485 taps, oscilloscopes) to pinpoint low-level noise and contention.
- Build a repeatable evidence bundle (pcap, CSV, scope screenshot) that satisfies maintenance, vendors and auditors.
20.1 Tool-selection matrix
| Layer / Task | Free software | Paid / Pro | Hardware |
|---|---|---|---|
| Capture TCP | Wireshark | TShark (CLI) | — |
| Decode RTU (live) | RealTerm + pycrc | Simply Modbus Monitor | Saleae Logic 8 |
| Gap & timing | Logic 2 (Saleae) | PicoScope Serial Decoder | Oscilloscope ≥50 MHz |
| Electrical noise | — | — | Differential probe + scope |
| Long-term logging | PySerial-logger | Kepware DTM Tag Logger | Moxa ioLogik tap |
(Fig-20-1 placeholder: infographic “Which tool?”)
20.2 Serial monitors (RTU & ASCII)
20.2.1 RealTerm (Windows, free) — hands-on
- Port → select COM#, 9 600 8E1, “Half-Duplex”.
- Display → “Hex+Space” + enable Timestamp [ms].
- Press Capture → file
"rtu_raw_2025-06-08.hex". - Observe:
- Frame start (
Addr FC) - Inter-char gaps in timestamp (≥ 1.5Tchar)
- CRC-Lo, CRC-Hi.
- Frame start (
20.2.2 pycrc quick-check
pycrc --check-hexstring "11 03 00 00 00 06 C5 C4" --model modbus
Returns OK if CRC correct—ideal for ad-hoc validation.
20.2.3 HTerm (cross-platform)
Enable “Line Timestamp” & “ASCII view” to debug Modbus ASCII (: … CR LF).
20.3 Wireshark deep dive (TCP & Serial)
20.3.1 Installing dissectors
Modbus/TCP dissector is built-in (v3+).
For RTU over serial-USB:
# Linux
sudo modprobe usbserial
sudo wireshark
# Capture → "Serial Line" → /dev/ttyUSB0 → Link-layer = "Modbus"
or pipe via extcap SNoop plugin (github.com/walle/snoopy/).
20.3.2 Essential display filters
| Purpose | Filter |
|---|---|
| All Modbus | modbus |
| Exceptions only | modbus.exception_code |
| Read Holding (FC03) | modbus.func_code == 3 |
| Frames > 100 ms gap | frame.time_delta > 0.1 && modbus |
(Fig-20-2: screenshot “exceptions in red”).
20.3.3 IO Graph for latency
Statistics → I/O Graph
Y-field: tcp.time_delta ; customise line 1 → visualise spikes.
20.3.4 Colouring rules (high-contrast)
| Condition | FG /BG |
|---|---|
modbus.exception_code | white/red |
modbus.func_code==16 (writes) | black/yellow |
frame.time_delta>0.05 | black/orange |
Save as “Modbus-PlantA.colour” profile.
20.4 Logic analyzers & oscilloscopes
20.4.1 Saleae Logic 8 workflow
- Connect A–B differential with logic probe (can use two channels + math).
- Select Analyzer → Modbus RTU → set baud.
- Timing view → highlight T3.5 gaps.
- Export CSV (
rtu_2025-06-08.csv) for spreadsheet analysis.
20.4.2 PicoScope serial decoder
Automated CRC validation flag = red X; click to zoom erroneous frame.
20.4.3 Electrical noise diagnosis
| Symptom | Scope trace | Remedy |
|---|---|---|
| High-freq ring (5–10 MHz) | Overshoot > 1 V | Add clamp ferrite, shorten stub |
| Common-mode shift (idle) | Baseline moves ±3 V | Add proper bias or isolate ground |
| Glitches at motor start | Burst noise on every VFD ramp | Shield terminate both ends + VFD filter |
20.5 Long-term & automated logging
20.5.1 Python serial logger
import serial, datetime
ser = serial.Serial("/dev/ttyUSB0", 9600, parity='E')
with open("rtu_log.bin","wb") as f:
while True:
f.write(datetime.datetime.now().isoformat().encode()+b' ')
f.write(ser.read_until()) # reads one frame (timeout set low)
Rotate daily via logrotate.
20.5.2 Wireshark ring buffer
wireshark -k -i eth0 -b filesize:100000 -b files:50 -f "tcp port 502"
Keeps last 5 GB of Modbus capture rolling.
20.6 Specialized analyzers & gateways
| Device | Feature | Price | Use-case |
|---|---|---|---|
| Frontline NetDecoder | Real-time protocol expert, graphs timing | $$$ | Factory acceptance test |
| HMS Ixxat CAN/Modbus scope | Combined CAN + Modbus decode | $$ | Mobile service techs |
| Moxa MGate “sniffer mode” | Gateway forwards AND mirrors to PCAP | $ | Permanent plant monitoring |
(Fig-20-3: photo of field tech with NetDecoder.)
20.7 Creating an evidence bundle
- Picture of cabinet wiring.
- Scope PNG showing bad waveform.
- .logicdata or .psdata file (raw).
- .pcapng with colour profile.
- Text summary (who, when, which device, firmware).
Compress into incident_2025-06-08_slave17.zip; attach to ticket.
20.8 Common pitfalls & fixes table
| Tool mis-use | Symptom | Correct usage |
|---|---|---|
| RealTerm default 115 200 8N1 on 9 600 E1 bus | Garbage ASCII | Match parity & baud |
| Wireshark capture “Ethernet II” for USB-serial | Empty modbus frames | Change link-layer to “Raw serial” |
| Logic 2 threshold 1 V on 5 V bus | False bits | Set 2.5 V threshold or differential math |
| Missing pull-downs on logic analyzer | Floating high line | Clip ground reference or use diff probes |
20.9 Workflow examples
20.9.1 No-response RTU device
- Serial tap – no bytes.
- Meter – A/B swapped.
- Fix wiring → RealTerm shows frames, but CRC errors.
- Scope reveals ringing; add termination.
- Communication stable; record before/after captures.
20.9.2 Slow SCADA screen updates
- Wireshark I/O graph shows 500 ms gaps.
- Filter reveals Nagle delay (ACK after 200 ms).
- Set
TCP_NODELAYon master; gaps < 50 ms.
20.10 Best-practice checklist
| ✔︎ | Rule |
|---|---|
| ☐ | Always mirror serial to a file before touching code. |
| ☐ | Use colour rules: red exception, yellow write, orange slow. |
| ☐ | Capture raw electrical waveform once per commissioning. |
| ☐ | Keep rolling PCAP with 5 × cycle buffer in production VLAN. |
| ☐ | Bundle evidence (picture + pcap + scope) for every incident. |
Chapter recap
- Serial monitors expose raw bytes and timing; Wireshark owns protocol decode; logic analyzers & scopes close the physical gap.
- Combine tools to see both voltage and bytes—only then do root-causes appear obvious.
- Automated logging & colour profiles make anomalies jump out and leave an audit trail.
- A disciplined evidence bundle shortens vendor or maintenance turnaround dramatically.
Assets to create
| ID | Visual / file |
|---|---|
| Fig-20-1 | “Pick-your-tool” infographic |
| Fig-20-2 | Wireshark exceptions in red |
| Fig-20-3 | Field photo with hardware analyzer |
| ZIP | Sample PCAP + scope PNG + RealTerm log |
Next: Module 7 – Security & Hardening starts with Chapter 21 – Modbus Security Vulnerabilities, where we pierce the “insecure-by-design” mythos, map real attack vectors, and prepare mitigations before hackers do.