NETCAP
OverviewGitHubHomepageGoDoc
v0.5
v0.5
  • Overview
  • Audit Records
  • Specification
  • Installation
    • Kali Linux
  • Quickstart
  • Configuration
  • Bash Completion
  • Packet Collection
  • Audit Record Labeling
  • HTTP Proxy
  • USB Capture
  • Payload Capture
  • Distributed Collection
  • Workers
  • Filtering and Export
  • Data Compression
  • Internals
  • Metrics
  • Resolvers
  • TLS Fingerprinting
  • Reassembly
  • Deep Packet Inspection
  • Live Capture
  • Maltego Integration
  • Logging
  • Packet Contexts
  • Industrial Control Systems
  • File Extraction
  • Email Extraction
  • Device Profiles
  • Python Integration
  • Changelog
  • Troubleshooting
  • Unit Tests
  • Extension
  • Downloads
  • Docker Containers
  • FAQ
  • Contributing
  • License
Powered by GitBook
On this page
  • Protocol Support
  • Modbus
  • CIP
  • ENIP

Industrial Control Systems

ICS / SCADA threat hunting

Protocol Support

Netcap offers audit records for the following protocols seen in industrial control systems:

  • Ethernet/IP

  • CIP - Common Industrial Protocol

  • Modbus / ModbusTCP

The encoders are enabled by default.

Modbus

message Modbus {
    string Timestamp     = 1;
    int32  TransactionID = 2; // Identification of a MODBUS Request/Response transaction
    int32  ProtocolID    = 3; // It is used for intra-system multiplexing
    int32  Length        = 4; // Number of following bytes (includes 1 byte for UnitIdentifier + Modbus data length
    int32  UnitID        = 5; // Identification of a remote slave connected on a serial line or on other buses
    bytes  Payload       = 6;
    bool   Exception     = 7;
    int32  FunctionCode  = 8;
    
    PacketContext Context = 9;
}

CIP

message CIP {
    string          Timestamp        = 1;
    bool            Response         = 2; // false if request, true if response
    int32           ServiceID        = 3; // The service specified for the request
    uint32          ClassID          = 4; // request only
    uint32          InstanceID       = 5; // request only
    int32           Status           = 6; // Response only
    repeated uint32 AdditionalStatus = 7; // Response only
    bytes           Data             = 8; // Command data for request, reply data for response
    PacketContext   Context          = 9;
}

ENIP

message ENIP {
    string                  Timestamp        = 1;
    uint32                  Command          = 2; 
    uint32                  Length           = 3;
    uint32                  SessionHandle    = 4;
    uint32                  Status           = 5;
    bytes                   SenderContext    = 6;
    uint32                  Options          = 7;
    ENIPCommandSpecificData CommandSpecific  = 8;
    PacketContext           Context          = 9;
}
PreviousPacket ContextsNextFile Extraction

Last updated 5 years ago