08. Monitoring & Debugging

What you'll learn

• 1Know a Modbus packet is [Function Code][Data], shown in the monitor as Address·FC·Data in hex
• 2Distinguish the 6 FCs' (02h·01h·0Fh·04h·03h·10h) Master-send/Slave-reply formats and decode raw bytes by hand
• 3Predict response length with the byte rules (Bit=⌈count/8⌉ rounded up, Word=count×2)
• 4Perform the HRSS Modbus Monitor procedure and Wireshark (loopback, Decode As Modbus/TCP)

Introduction

A Modbus packet's wrapper differs by transport (RTU vs TCP), but the core (Slave Address + Function Code + Data) is identical — that's what the monitor/Wireshark shows. TCP has no CRC (the TCP layer guarantees integrity); RTU appends a 2-byte CRC.

Key concepts

1) The 6 Function Codes and byte rules

2) Hand-calc examples (manual originals)

① 02 01 2C 00 05  → FC02, start 0x012C=300, count 5
② 04 04 00 5A 00 00 → FC04, bytes 4(=2 regs), values [0x5A=90, 0]
③ 10 00 C9 00 03 06 00 6F 00 DE 01 4D
   → FC10, start 0x00C9=201, count 3, bytes 6, values [111,222,333]
   (Slave reply 10 00 C9 00 03 — echoes start+count only)

Core example

A hand-decoder that, given a hex frame, unpacks Function Code·start address·count·byte count·data into human-readable form. Standard library only and no port, so it verifies bytes seen in the monitor/Wireshark.

decode_frame("02 01 2C 00 05", "request")   # FC=02h, start 300, count 5
decode_frame("04 04 00 5A 00 00", "response")          # bytes 4, values [90, 0]
decode_frame("10 00 C9 00 03 06 00 6F 00 DE 01 4D", "request")  # start 201, values [111,222,333]

# 💻 Wireshark live capture (optional): Npcap + loopback adapter
#  1) python ../../_shared/robot_server_sim.py --port 1502
#  2) python ../../_shared/modbus_master.py --port 1502 read-di 0 8
#  3) display filter tcp.port == 1502, non-standard port → Decode As → Modbus/TCP
# Query 02 00 00 00 08 / Response 02 01 08 (0x08=only addr 3 On → [0,0,0,1,0,0,0,0])

Common mistakes

Q. Wireshark captures nothing (127.0.0.1↔127.0.0.1).

A. Local traffic doesn't go through the physical NIC. Switch the capture interface to Adapter for loopback traffic (Npcap Loopback). If it's missing, reinstall Wireshark with the Npcap+loopback option.

Q. The Protocol column shows TCP, not Modbus/TCP.

A. Wireshark auto-decodes only port 502 as Modbus. Since practice uses 1502, right-click the packet → Decode As… → set port 1502 to Modbus/TCP.

Q. I keep confusing byte count and register count.

A. A word is 2 bytes each. Register count = byte count ÷ 2 (e.g. 04 04 ... → bytes 4 → 2 regs). Bits go the other way: ⌈count/8⌉ rounded up.

Summary

• A Modbus packet's core is [Function Code][Data], shown in hex (HRSS monitor up to 200 lines)
• 6 FCs: reads 02h/01h/04h/03h, writes 0Fh/10h. Read replies carry data; write replies echo start+count
• Length rules: Bit response bytes=⌈count/8⌉, Word response bytes=count×2
• Verify real traffic with HRSS Modbus Monitor and Wireshark (loopback, Decode As Modbus/TCP)

Exercises

1. Decode the three example frames (02·04·10h) and confirm start address·count·values
2. Explain why 04 04 00 5A 00 00 means 2 registers using the byte rule
3. Capture read-di 8 traffic in Wireshark and decode Response 02 01 08 to [0,0,0,1,0,0,0,0]