A sniffer for the Modbus RTU protocol.

This programs allows you to snif packets from a Modbus RTU serial comunication and save them in a .pcap file that you can open with a program like Wireshark.

Compile the program with make. The only dependency is a C compiler and a POSIX operating system.

You can specify the options with the command line:

Usage: ./sniffer [-h] [-o out_dir] [-p port] [-s speed]
                 [-P parity] [-S stop_bits] [-b bits]

 -o, --output-dir   directory where to save the output
 -p, --serial-port  serial port to use
 -s, --speed        serial port speed (default 9600)
 -b, --bits         number of bits (default 8)
 -P, --parity       parity to use (default 'N')
 -S, --stop-bits    stop bits to use (default 1)

By default files are saved in the output directory with filename in the format modbus_YYYY-mm-dd_HH:MM:SS.pcap.

By sending to the program a SIGUSR1 the capture is rotated, i.e. the pcap file is closed and another one is initiated. By default a .pcap file contains maximum 10000 entries: after that the log is rotate. You can tweak this parameter by editing the MAX_CAPTURE_FILE_PACKETS in the source code.

To capture the packets, you need a standard RS485 to TTL serial converter. I tested the capture on a Raspberry Pi model 3B+. If you also use a Raspberry, make sure to enable the hardware UART for better performance by disabling the Bluetooth interface.