Support #3048
closedthe modbus packets have been limited
Description
When I send modbus packets about 80,000.Then the parser 'app-layer-modbus.c' doesn't parse the modbus packets.Only decode the tcp.
So I want to known how to set the modbus no traffic limit?
If you have a method,thank you very much!
Updated by Andreas Herz over 5 years ago
- Assignee changed from Victor Julien to Community Ticket
- Target version set to Support
Without more details about your setup it is hard to help.
Also please don't assign team members directly for support tickets, we will take care of the assignements on our side.
Updated by John Smith over 5 years ago
ok.There are my steps:
1.run suricata : sudo suricata -c /etc/suricata/suricata.yaml -q 0 -q 1 -q 2
2.send modbus packets.I use the modbus slave and poll to send the packet.
3.In the modbus-parser 'app-layer-modbus.c',I write "printf('parse the modbus data\n');".And In "decode-tcp.c",I write "printf('decode tcp data');"
4.When I send above 80,000 packets,there is no output "parse the modbus data".But still have 'decode tcp data'.
So I want to known how to solve this problem.
Updated by Andreas Herz over 5 years ago
What version of suricata on which system are you using? Best would be to paste a suricata --build-info output.
How does your config look like and the iptables/nftables setup for that scenario?
Did you look into the stats.log if all relevant counters still increase while sending traffic?
Did you check if there are some rules that trigger, maybe even drop?
Without the clear diff to the original source ode it's hard to tell if it's just an issue with your printf statements.
Updated by Victor Julien over 5 years ago
Could be the stream depth kicking in? Does the cut off happen at ~1MiB?
Updated by John Smith over 5 years ago
oh,yes.The stream depth has limited the modbus flow datas.
So I change the value to 0,is it ok?
Updated by Andreas Herz over 5 years ago
- Status changed from New to Feedback
I would recommend setting it to a sensible value but not 0. You need to tune it for your scenario.
Updated by Victor Julien about 5 years ago
- Status changed from Feedback to Closed