3

We are operating old systems which have many modules we are not able to find on the market. So we are looking for replacements. S7-200 PLC with several sensors is communicating over RS485 pair cable. We checked and find out that all sensors support both PROFIBUS DP and MODBUS protocols.

We tried to capture some packets with putty, so we can find which protocol is used. 

03 06 00 00 04 FD 2D 61 FE 03 06 00 00 04 FD 2D 61 FE 03 06 00 02 01 3B 85 93 E5 03 06 00 02 01 3B 85 93 E5 03 06 00 05 00 00 F8 03 06 00 05 00 00 98 A5 FE AC 18 60 C0 98 29 FF 03 06 00 05 00 00 98 A5 FE

It looks like 9 byte long packets are transmitted repeatedly, but packets look like neither PROFIBUS DP nor MODBUS packets.

Were we at fault for using putty for packet reading?
Or can the system protocol be a different protocol (like Freeport)?

Improve this question
3
  • The bus speed can be potentially in the Megabits per second. Is putty connected with a matching baud rate? Otherwise we might see garbage instead of the real values. Does the port that putty connect to support those high bitrates?
    – E. van Putten
    Commented May 2, 2019 at 21:24
  • I checked baud rates over HMI connected to communication cables and it shows 9600 and 19200. I tried both rates but still can not get anything looks like MODBUS or PROFIBUS DP. Maybe I should try another software to sniff the data line.
    – Turkuaz
    Commented May 8, 2019 at 6:44
  • Ah, so you tried different baud rates. Good. I presume you got different byte streams with PuTTY then? If not that would be strange. Would be really nice if you also added those new hex dumps to the original question with a mention of the baudrate you captured it at.
    – E. van Putten
    Commented May 8, 2019 at 7:42

1 Answer 1

Reset to default
0

When changing out old devices on either Modbus or Profibus fieldbus networks it is imperative that one fully understands how the device is configured, because any change (such as node address, baud rate, data mapping, etc) will result in numerous errors. Unless the exact same model can be sourced (replace in kind), it is almost impossible to replace the device without changing the data being requested in the Master and ensuring that the proper data ends up in the right destination.

Another point to consider is that only devices using the same protocol can exist on the physical network together. As a result, if ANY device on the network is only capable of one protocol, it's safe to say, that's the protocol in use. The best place to ascertain which protocol is in use is the Master device. The Master device will be configured to use the port that is connected to the network.

In the case of the S7-200, if it is configured for Modbus, there will be "MBUS_" library blocks in use if it is either Master or Slave (MBUS_CTRL, MBUS_MSG, or MBUS_INIT for Master, MBUS_SLAVE for Slave). As well, integrated ports on the S7-200 do not support Profibus-DP at all. Even if there is an EM-277 module, it can only act as a Slave.

If there is an HMI on the same RS485 physical network, it could be functioning as the Master (either Modbus or Profibus). Further investigation into the HMI configuration could reveal the nature of the network.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .