I am a field service technician and I am wanting to capture Modbus RTU TCP/IP polls and responses on a SCADA network. I have downloaded the wireshark program and I am testing it on our in house network. I have another machine polling across the network using mod bus rtu tcp/ip polls and a end device is answering. I have created some pcap files using DTL_USER ID=147. These files contain either serial 'Modbus RTU' data or serial 'DNP3' data. Note that this is just raw.
![Wireshark Serial Modbus Rtu Wireshark Serial Modbus Rtu](http://i.imgur.com/vDN3R.png)
Out of the box it can't. The usual way to monitor such traffic is to convert the serial traffic to Ethernet using a device server such as these devices (there are other similar, cheaper, devices available). You can then use one device at each end and use a tap or switch with port mirroring (or even a hub) in between each end and then capture the traffic. If the Modbus master is on a PC, the application can often be configured to use TCP/IP instead of serial, in this case you only need one device server at the Modbus slave end.