A practical guide to OT/ICS network reconnaissance using Wireshark and GrassMarlin. Covers Wireshark installation, interface orientation, OT-specific display filters for Modbus function codes (read, write, and exception responses), Statistics menu features for mapping device relationships, and coloring rules for anomaly detection. Also introduces GrassMarlin, an NSA-developed open-source tool for passive ICS/SCADA network topology mapping from PCAP files. The guide contextualizes techniques with real-world attacks like the 2015 Ukraine power grid incident and TRITON malware, emphasizing that baselining normal OT traffic is essential for detecting intrusions.
Sort: