NETCAP
NETCAP
Overview
GitHub
Homepage
GoDoc
Overview
Audit Records
Specification
Installation
Quickstart
Configuration
Bash Completion
Packet Collection
Audit Record Labeling
HTTP Proxy
USB Capture
Payload Capture
Distributed Collection
Workers
Filtering and Export
Data Compression
Internals
Metrics
Resolvers
TLS Fingerprinting
Reassembly
Deep Packet Inspection
Live Capture
Maltego Integration
Logging
Packet Contexts
Industrial Control Systems
File Extraction
Email Extraction
Device Profiles
Python Integration
Changelog
Troubleshooting
Unit Tests
Extension
Downloads
Docker Containers
FAQ
Contributing
License
Powered by GitBook

Industrial Control Systems

ICS / SCADA threat hunting

Protocol Support

Netcap offers audit records for the following protocols seen in industrial control systems:

  • Ethernet/IP

  • CIP - Common Industrial Protocol

  • Modbus / ModbusTCP

The encoders are enabled by default.

Modbus

message Modbus {
    string Timestamp     = 1;
    int32  TransactionID = 2; // Identification of a MODBUS Request/Response transaction
    int32  ProtocolID    = 3; // It is used for intra-system multiplexing
    int32  Length        = 4; // Number of following bytes (includes 1 byte for UnitIdentifier + Modbus data length
    int32  UnitID        = 5; // Identification of a remote slave connected on a serial line or on other buses
    bytes  Payload       = 6;
    bool   Exception     = 7;
    int32  FunctionCode  = 8;
    
    PacketContext Context = 9;
}

CIP

message CIP {
    string          Timestamp        = 1;
    bool            Response         = 2; // false if request, true if response
    int32           ServiceID        = 3; // The service specified for the request
    uint32          ClassID          = 4; // request only
    uint32          InstanceID       = 5; // request only
    int32           Status           = 6; // Response only
    repeated uint32 AdditionalStatus = 7; // Response only
    bytes           Data             = 8; // Command data for request, reply data for response
    PacketContext   Context          = 9;
}

ENIP

message ENIP {
    string                  Timestamp        = 1;
    uint32                  Command          = 2; 
    uint32                  Length           = 3;
    uint32                  SessionHandle    = 4;
    uint32                  Status           = 5;
    bytes                   SenderContext    = 6;
    uint32                  Options          = 7;
    ENIPCommandSpecificData CommandSpecific  = 8;
    PacketContext           Context          = 9;
}
Previous
Packet Contexts
Next
File Extraction
Last updated 1 year ago
Contents
Protocol Support
Modbus
CIP
ENIP