Project

General

Profile

Actions
Copy link

Support #2983

closed

no modbus output

Added by John Smith almost 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Affected Versions:
4.0.5
Label:

Description

in pcap offline mode,like suricata -c /etc/suricata/suricata.yaml -r modbus.pcap.There is no thing if I use 'printf' in app-layer-modbus.c.Do I need dispose the suricata.yaml?

Actions
Copy link
 #1

Updated by Victor Julien almost 5 years ago

  • Tracker changed from Bug to Support
  • Subject changed from in pcap offline mode to no modbus output
  • Assignee deleted (Victor Julien)
  • Target version deleted (4.1.5)
Actions
Copy link
 #2

Updated by Victor Julien almost 5 years ago

Did you enable the modbus parser in your yaml? Did you check the packet checksums? Did you enable midstream in case the modbus sessions have no TCP 3whs, etc?

Actions
Copy link
 #3

Updated by John Smith almost 5 years ago

OK,Victor.As you say,I have changed the midstream to true;the parser to yes;the checksum to no.Then the modbus parser is ok in pcap offline mode. I also add a new parser for iec104 and the parser iec104 is ok in AF-Packet mode or NFQ mode,but there is no output in pcap offline mode.So should I do some others thins?

Actions
Copy link
 #4

Updated by Victor Julien almost 5 years ago

I have no idea why it doesn't work for pcaps. It will be hard to say without access to the parsers.

Actions
Copy link
 #5

Updated by Andreas Herz almost 5 years ago

  • Assignee set to Community Ticket
  • Target version set to Support
Actions
Copy link
 #6

Updated by Victor Julien over 4 years ago

  • Status changed from New to Closed
Actions
Copy link

Also available in: Atom PDF