v0.5
Industrial Control Systems
ICS / SCADA threat hunting
Protocol Support
Netcap offers audit records for the following protocols seen in industrial control systems:
- Ethernet/IP
- CIP - Common Industrial Protocol
- Modbus / ModbusTCP
The encoders are enabled by default.
Modbus
1
message Modbus {
2
string Timestamp = 1;
3
int32 TransactionID = 2; // Identification of a MODBUS Request/Response transaction
4
int32 ProtocolID = 3; // It is used for intra-system multiplexing
5
int32 Length = 4; // Number of following bytes (includes 1 byte for UnitIdentifier + Modbus data length
6
int32 UnitID = 5; // Identification of a remote slave connected on a serial line or on other buses
7
bytes Payload = 6;
8
bool Exception = 7;
9
int32 FunctionCode = 8;
10
11
PacketContext Context = 9;
12
}
Copied!
CIP
1
message CIP {
2
string Timestamp = 1;
3
bool Response = 2; // false if request, true if response
4
int32 ServiceID = 3; // The service specified for the request
5
uint32 ClassID = 4; // request only
6
uint32 InstanceID = 5; // request only
7
int32 Status = 6; // Response only
8
repeated uint32 AdditionalStatus = 7; // Response only
9
bytes Data = 8; // Command data for request, reply data for response
10
PacketContext Context = 9;
11
}
Copied!
ENIP
1
message ENIP {
2
string Timestamp = 1;
3
uint32 Command = 2;
4
uint32 Length = 3;
5
uint32 SessionHandle = 4;
6
uint32 Status = 5;
7
bytes SenderContext = 6;
8
uint32 Options = 7;
9
ENIPCommandSpecificData CommandSpecific = 8;
10
PacketContext Context = 9;
11
}
Copied!
Last modified 2yr ago
Copy link