Wireshark-users: Re: [Wireshark-users] Decode data layer by a Wireshark supported protocol

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 28 Sep 2017 16:29:20 -0700
On Sep 28, 2017, at 2:21 PM, Savakh S <sovakah@xxxxxxxxx> wrote:

> I have 802.15.4 packets with a data layer above.

"Above" as in "the link layer is 802.15.4, and the protocol running atop 802.15.4 is the data layer"?

I.e., the "Data Payload" of an 802.15.4 Data frame is a Modbus PDU of some sort?

> But modbus isn't proposed when I right click and choose "decode as".

That's because there's no Modbus dissector that registers itself as being usable atop 802.15.4.

So are these Modbus RTU PDUs, beginning with a unit ID byte, followed by a function code byte, followed by the data?