I am new to Scapy. I am trying to parse Modbus packets in a pcap file using scapy.contrib.modbus. I am however successful. I want to at least identify request and response packets based on the library. Below is the link for the pcap file:
https://github.com/tjcruz-dei/ICS_PCAPS/releases/download/MODBUSTCP%231/captures1.zip
Below is the sample code (doesn't work by the way):
from scapy.all import *
import scapy.contrib.modbus as mb
for pkt in PcapReader("captures1/clean/eth2dump-clean-0,5h_1.pcap"):
if pkt['TCP'].sport == 502:
pkt = mb.ModbusADUResponse(pkt)
print(type(pkt))
Kindly assist. Thank you.
the code is actually much simpler than you think:
import scapy.all as scapy
import scapy.contrib.modbus as mb
for pkt in scapy.PcapReader("eth2dump-clean-0,5h_1.pcap"):
if mb.ModbusADUResponse in pkt:
pkt.show()
let's got the detail of why/how it works. scapy has a few relationship between protocol to help decode.
in you case: https://github.com/secdev/scapy/blob/master/scapy/contrib/modbus.py#L948 is linking TCP.port 502 to ModbusADUResponse