Industrial Control Systems
ICS / SCADA threat hunting

Protocol Support

Netcap offers audit records for the following protocols seen in industrial control systems:
  • Ethernet/IP
  • CIP - Common Industrial Protocol
  • Modbus / ModbusTCP
The encoders are enabled by default.

Modbus

1
message Modbus {
2
string Timestamp = 1;
3
int32 TransactionID = 2; // Identification of a MODBUS Request/Response transaction
4
int32 ProtocolID = 3; // It is used for intra-system multiplexing
5
int32 Length = 4; // Number of following bytes (includes 1 byte for UnitIdentifier + Modbus data length
6
int32 UnitID = 5; // Identification of a remote slave connected on a serial line or on other buses
7
bytes Payload = 6;
8
bool Exception = 7;
9
int32 FunctionCode = 8;
10
11
PacketContext Context = 9;
12
}
Copied!

CIP

1
message CIP {
2
string Timestamp = 1;
3
bool Response = 2; // false if request, true if response
4
int32 ServiceID = 3; // The service specified for the request
5
uint32 ClassID = 4; // request only
6
uint32 InstanceID = 5; // request only
7
int32 Status = 6; // Response only
8
repeated uint32 AdditionalStatus = 7; // Response only
9
bytes Data = 8; // Command data for request, reply data for response
10
PacketContext Context = 9;
11
}
Copied!

ENIP

1
message ENIP {
2
string Timestamp = 1;
3
uint32 Command = 2;
4
uint32 Length = 3;
5
uint32 SessionHandle = 4;
6
uint32 Status = 5;
7
bytes SenderContext = 6;
8
uint32 Options = 7;
9
ENIPCommandSpecificData CommandSpecific = 8;
10
PacketContext Context = 9;
11
}
Copied!