Auto Discovery of the slave id of modbus device in a network

Question

How to determine whether device connected to the network is modbus device after getting valid ip range through broadcasting mechanism or How to Auto Discover the slave id of modbus device connected to the gateway ?

Answer 1

In the context of Modbus TCP, slaveId is not used to identify a Modbus device. IpAddress is used to identify the Modbus device if the device supports Modbus TCP/UDP.

if you want to discover the Modbus devices in a LAN, as you mentioned, you can send a broadcast message to all the range of IP addresses. But, there is no predefined register address to poll. Each Modbus device may be configured different address location.

Send TCP connection request for each :502.

And then for each connected device, like the Modscan tool, you can write your custom logic to scan all the registers in each discovered Modbus device.

Answer 2

You can try using nmap:

here you can find the tutorial to use.

You can also use Metasploit-framework(msfconsole):

• Modbus Client Utility, you can read/write to modus device
• Modbus Version Scanner, to detect modbus service
• Modbus find unit ID, it only works under modbus TCP/IP, it send the request "0x04" to all the modbus ID(0-254) and check the response.