I have a device connected via ethernet cable to the network. Its manual says it accepts modbusTCP communication protocol and indeed nmap in the configured port shows that a modbus service is open (nmap output at the end). I am no modbus expert but i found the pyModbusTCP python module to try and establish a first connection. Based on tutorials and documentation, the code i am trying to use is saved as modbus_client.py and goes like:
#!/usr/bin/python3
import sys
from pyModbusTCP.client import ModbusClient
client = ModbusClient(host="device_IP", port = 502, auto_open=True,debug=True)
client.open()
client.read_holding_registers(int(sys.argv[1]),int(sys.argv[2]))
I am focusing in the read_holding_registers function mainly because the device manual says that implemented modbus functions are Read Holding Registers (0x03), Write Multiple Registers (0x10) and Write Single Register (0x06) and i have the registers map of the device.
Acording to the registers map (image below), i tried executing the script with
./modbus_client.py 4096 32
and
./modbus_client.py 4096 16
but all i get as output is:
Tx
[59 50 00 00 00 06 01] 03 0F FF 00 20
timeout error
I also noticed every time i execute the code the numbers inside the brackets change while the last ones outside the brackets stay the same. Changing the port to any other generates connection refused, so i think i am connecting to the right port but i have no idea what am i doing wrong after that.
Any ideas on how to debug this? Is there an easier approach to check modbusTCP communication with device? Thanks in advance.
OBS1: image of the register i am trying to access. The manual says a single word is 16-bit.
OBS2: nmap output in two different ports:
$ nmap -p 502 device_IP
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-12 21:21 -03
Nmap scan report for device_IP
Host is up (0.028s latency).
PORT STATE SERVICE
502/tcp open mbap
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
and
$ nmap -p 503 device_IP
Starting Nmap 7.80 ( https://nmap.org ) at 2022-07-12 21:22 -03
Nmap scan report for device_IP
Host is up (0.027s latency).
PORT STATE SERVICE
503/tcp closed intrinsa
Nmap done: 1 IP address (1 host up) scanned in 0.64 seconds
Turns out it was a problem with the netmask. The equipment's netmask was configured to 24 but i was trying to access it from an I.P. out of that range.
In my case, i was trying to access the I.P. 10.20.41.90 from a computer with an I.P. of 10.0.X.Y.
I configured the netmask to 8 and it all worked.