Can this sniff a standard RS485 Modbus bus i.e in parallel with other devices on the bus ?

[craigcurtin-dev]

Hi i am trying to decipher the communication between a Solar Inverter and a Power Energy meter.

Can i just connect this into the bus with a (RS485 to USB connector) both of these devices and it will sniff all communication between them or is this for sniffing an application on my PC sending on to the RS485 bus ?

Craig

[alerighi]

Hi, yes you can use a RS485 to USB adapter. This program just opens the serial port (/dev/tty*) and saves the captured data to a .pcap file, so it can be analyzed with Wireshark, splitting the packet with a timeout, i.e. it doesn't get into the logic of the protocol, because that would have meant interpreting the full protocol (and maybe the machine uses custom function codes), but it checks the CRC16 so you can see if it's capturing correctly, even if even packets with non valid CRC are included in the capture (they can be filtered with WireShark later anyway).

It works fairly well, if not you have to tweak the timeout between packet in the source code, when you get it right it should work. Also pay attention to the adapter you use, I suggest to connect only the A and B data lines to the converter, not the signal ground, since that could introduce ground loops. If you see a lot of zero in the capture you probably have to had/remove the pullup/pulldown resistors on the line (the converter may or may not have them inside).

By the way, if you want to sniff the protocol to know how the machine works, without wanting to generate pcap files, you can also use the Modscan32 program for Windows. With that program you can monitor the communication and build dashboards that monitor parameters in real time. That program works only for function codes to read/write coils and registers, not with all the function codes of the program (but this is what most Modbus devices will use anyway)

[nagyrobi]

Hi @alerighi I'm trying to find the communication with a ventilation system and its controller. I tried your sniffer but my results are:

captured packet 1: length = 2, CRC: FFFF = FFFFFFFE00 [FAIL]
captured packet 2: length = 1, CRC: FFFF = FFFFFFFE30 [FAIL]
captured packet 3: length = 4, CRC: 9403 = FFFFFFBCFFFFFFA6 [FAIL]
captured packet 4: length = 11, CRC: 41BA = FFFFFFB406 [FAIL]
captured packet 5: length = 5, CRC: 33F4 = 3639 [FAIL]
captured packet 6: length = 2, CRC: FFFF = 06FFFFFFB0 [FAIL]
captured packet 7: length = 1, CRC: FFFF = 0630 [FAIL]
captured packet 8: length = 3, CRC: B23E = 0630 [FAIL]

Edit: I also tried with ModScan tool in Windows, I keep getting checksum error there too.

Can you please give me some hints?

[alerighi]

Hi, sorry if I respond late, I didn't see the message. It seems you are reading a lot of 1s: this may be caused by wrong levels on the RS485 line that 485 transreceiver logic.

You can try the following things:

• double check the positive/negative polarity (don't rely that A is positive and B negative, I've seen inverted multiple times, verity with a multimeter if in doubt)
• try to connect only the A and B data lines, not the ground (even indirectly trough the ground of the power cable, separate the ground of the PC than the one of the equipment, for example using a laptop)
• try to change the transreceiver with a better chip
• try with a transreceiver without the autosense logic (of course putting it always in receive mode)
• try to add a pull up/pull down resistor on the line to 3.3V/5V and down to GND
• keep your wires as short as possible and use shielded cable

You can verify with a simple terminal application (such as picocom on Linux or Putty on Windows) that you receive data that makes sense on the serial port. If you see a lot of FF there is something wrong at the physical level.

[kevin-david]

@nagyrobi This is a longshot, but did you have success with your ventilation system/controller? I'm trying to do the same thing with my Broan ERV where I'm pretty sure the communication method is Modbus, but also struggling to get useful data off the bus. Thanks!

More details here: https://community.home-assistant.io/t/venmar-vanee-broan-erv-hvac-controller-output/339770

[nagyrobi]

Sniffing never succeeded properly. I gave up this and instead started discusdions with the manufacturer who in the end shared with me the modbus registers documentation.

[Ekristoffe]

@nagyrobi @kevin-david Hello, I have found the timing can be pretty hard to set it right. personally at 115200 bps i had to set the -t (--interval) at 1000 to have the right amount of data (ie cutting right at the end of each modbus frames) I will do more testing at different speed to be sure of the timing calculation.

[kevin-david]

@Ekristoffe thanks for the info - were you sniffing a ventilator/ERV/etc. or a different device?

[Ekristoffe]

@Ekristoffe thanks for the info - were you sniffing a ventilator/ERV/etc. or a different device?

I have used it to sniff a lot of different devices and protocols. As long as you get the communication parameter right and the right time too it should be fine. I am using a Rpi2b

[alerighi]

Closed since there is no further activity.