Listen to this Post

Introduction:
Operational Technology (OT) and Industrial Control Systems (ICS) form the backbone of critical infrastructure, from power grids to manufacturing plants. While traditionally isolated, modern IT/OT convergence has exposed these sensitive networks to unprecedented cyber threats. This article provides a technical blueprint for using Wireshark, the quintessential network protocol analyzer, to achieve crucial visibility and security in OT environments, moving beyond theory to hands-on packet inspection.
Learning Objectives:
- Master the setup of passive network monitoring in an OT context without disrupting critical processes.
- Decode and analyze common industrial protocols like Modbus/TCP, DNP3, and PROFINET for anomalies.
- Identify malicious traffic patterns and indicators of compromise (IoCs) specific to ICS networks.
You Should Know:
1. Establishing Passive Visibility in an OT Network
Before analyzing, you must capture traffic without affecting system stability. OT networks are sensitive to latency and intrusion. A passive tap or Switched Port Analyzer (SPAN) port is essential.
Step‑by‑step guide:
- Identify a Capture Point: Place a network tap or configure a SPAN port on a managed switch connecting a critical asset like a PLC (Programmable Logic Controller) or an engineering workstation.
- Connect Your Analysis Station: Use a dedicated laptop with Wireshark installed. Connect it to the tap or SPAN port. Ensure this machine has no extra network services running to minimize its attack surface.
- Verify Capturing: In Wireshark, select the correct interface (e.g.,
eth0). Start a capture and trigger a known process on the OT network (e.g., a read command from an HMI). You should see packets.
Linux Command to list interfaces: `sudo wireshark -D` or `ip link show`
Windows Command via PowerShell: `Get-NetAdapter | Format-List Name, ifIndex, Status` - Crafting Precise Capture and Display Filters for OT Protocols
OT traffic can be dense. Filters are mandatory to isolate relevant packets. Use capture filters for long-term collection and display filters for investigation.
Step‑by‑step guide:
- Capture Filter for Modbus/TCP: To capture only Modbus traffic on its default port (502) to/from a specific PLC (IP: 192.168.1.10): `host 192.168.1.10 and tcp port 502`
2. Apply in Wireshark: In the capture options, enter the filter in the “Capture Filter” bar. - Display Filter for DNP3 Source/Destination: To view only DNP3 packets from a specific outstation: `dnp3 and ip.src==192.168.1.20`
4. Filter for Exceptionally Large Packets: Large packets in OT networks can indicate malware or scans: `frame.len > 500`
3. Dissecting Common OT Protocol Conversations
Understanding normal traffic is key to spotting anomalies.
Step‑by‑step guide for Modbus/TCP Analysis:
1. Apply a display filter: `modbus`.
- Select a packet. Navigate to the packet details pane and expand the Modbus section.
3. Analyze Function Codes:
`03` (Read Holding Registers) & `04` (Read Input Registers): Normal polled queries.
`06` (Write Single Register) & `16` (Write Multiple Registers): Critical write commands. Scrutinize these for unauthorized changes.
4. Note the Transaction ID. Match queries and responses to understand the conversation flow between the client (HMI/SCADA) and server (PLC).
4. Hunting for OT-Specific Threats and Anomalies
Use Wireshark’s analysis tools to find suspicious behavior.
Step‑by‑step guide to detect reconnaissance and manipulation:
- Scan Detection: Filter for packets to non-standard OT ports or broadcast traffic:
tcp.dstport != 502 and tcp.dstport != 20000 and ip.dst==<OT_Subnet>. - Malformed Packet Detection: Use the built-in analyzer: Go to
Analyze > Expert Info. Look for “Malformed” errors under the “Errors” tab, which could indicate fuzzing attacks. - Detecting Unauthorized Writes: A critical alert filter for Modbus:
modbus.func_code == 0x06 or modbus.func_code == 0x10. Correlate the source IP with authorized engineering stations.
5. Extracting Payloads and Building Custom Dissectors
Some proprietary protocols aren’t decoded by default. You can extract raw data or build simple dissectors.
Step‑by‑step guide to extract a payload to a file:
1. Filter to the specific TCP stream containing the unknown protocol: Right-click a packet > `Follow` > TCP Stream.
2. In the stream window, set “Show and save data as” to Raw.
3. Click `Save As…` to export the binary payload for offline analysis in a hex editor or for writing a Wireshark Lua dissector.
6. Validating Network Segmentation & Hardening
Use Wireshark to audit firewall rules and segmentation between IT and OT zones (the “Purdue Model”).
Step‑by‑step guide:
- Capture traffic on the OT-side interface of your IT/OT firewall.
- Apply a filter for IT-zone source addresses (e.g.,
ip.src==10.10.10.0/24). - If you see any traffic beyond explicitly allowed management protocols (e.g., SSH, RDP to specific hosts), it indicates a misconfigured firewall rule or a breach.
What Undercode Say:
- Visibility is Non-Negotiable: You cannot secure what you cannot see. Wireshark provides the foundational, packet-level visibility required for both proactive security assessments and reactive incident response in OT environments.
- Context is King: A packet is not malicious in a vacuum. An unexpected Modbus write command from an engineering workstation may be planned maintenance; from an unknown IP in the corporate VLAN, it is a critical incident. Correlate packet data with operational context and asset management lists.
Analysis: The technical barrier to effective OT monitoring is lower than many assume. Wireshark is a free, powerful tool that, when used with disciplined methodology, can demystify industrial network traffic. The core challenge is not the tool itself, but developing the analyst’s understanding of both networking principles and industrial processes. This skill set allows defenders to move from merely capturing packets to actively hunting for threats that could cause physical disruption. The post’s focus on “real-world samples” is crucial; theoretical knowledge of protocols pales in comparison to the insight gained from inspecting actual operational traffic, where timing, volume, and subtle deviations from specification reveal the true story.
Prediction:
As IT/OT convergence accelerates and threats like ransomware pivot to physical disruption, the role of network forensic analysis in ICS security will become as standard as it is in IT. We will see the rise of specialized Wireshark profiles and “lenses” tailored for OT operators, automated tools that leverage Wireshark’s dissection engines for continuous monitoring, and the integration of packet capture analysis into SOAR platforms for ICS. Furthermore, the ability to conduct and interpret these analyses will become a core competency for the next generation of OT cybersecurity professionals, bridging the gap between control engineering and infosec. The future of resilient critical infrastructure depends on this deep, packet-level awareness.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mikeholcomb Wireshark – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


