What are the best Wireshark filters for OT cybersecurity monitoring and threat detection?
Wireshark is an essential tool for securing OT (Operational Technology) environments by enabling deep visibility into industrial network traffic. This blog explores how to use Wireshark filters effectively for detecting threats, discovering devices, and monitoring industrial protocols like Modbus, DNP3, Profinet, and S7comm. We cover filters for network discovery, suspicious activity, and protocol-specific traffic in OT environments. Learn best practices for analyzing ICS traffic and securing your SCADA infrastructure in 2025 using Wireshark.
In the world of Operational Technology (OT), security is critical. From manufacturing plants to power grids, OT environments rely on specific industrial protocols like Modbus, DNP3, and Profinet to operate safely. But with growing cyber threats, network visibility has become more important than ever.
Wireshark, a free and open-source network protocol analyzer, offers powerful tools to monitor, analyze, and secure OT traffic. In this blog, we’ll explore how to use Wireshark effectively for OT cybersecurity using practical filters and examples.
What Is Wireshark and Why Is It Crucial for OT Networks?
Wireshark allows cybersecurity professionals to capture and analyze packets from OT network traffic. In industrial networks, it helps detect suspicious activities, troubleshoot communication issues, and audit protocol behavior in real-time.
OT environments often use non-IT protocols, so using Wireshark with OT-specific filters is essential to identify:
-
Broadcast storms
-
Unauthorized devices
-
Protocol misuse
-
Malicious commands (e.g., writing Modbus registers)
Network Discovery Filters
Wireshark filters help identify devices and communication patterns in the network. Use these filters to discover unknown or unauthorized endpoints:
| Use Case | Wireshark Filter |
|---|---|
| Find broadcast traffic | eth.dst == ff:ff:ff:ff:ff:ff |
| ARP responses (IP to MAC mapping) | arp.opcode == 2 |
| DHCP Discover/Request | bootp.option.type == 53 |
| Unique MAC addresses | !(eth.addr in {00:00:00:00:00:00}) |
| Unique IPs in a range | ip.addr >= 192.168.0.0 and ip.addr <= 192.168.255.255 |
Suspicious Activity Filters
Use these filters to detect malicious behavior such as scanning, tunneling, or malformed packets in OT networks:
| Activity | Wireshark Filter |
|---|---|
| Port scanning | tcp.flags.syn == 1 && tcp.flags.ack == 0 |
| Uncommon ports | `tcp.dstport < 11 |
| High order ports | tcp.dstport > 1024 |
| Modbus over non-standard ports | modbus && tcp.port != 502 |
| Malformed packets | `tcp.analysis.flags && (tcp.len == 0 |
| Long TCP sessions for tunneling | tcp.analysis.bytes_in_flight > 10000 |
| OT devices communicating with Internet | !(ip.dst >= 10.0.0.0 && ip.dst <= 10.255.255.255) && !(ip.dst >= 172.16.0.0 && ip.dst <= 172.31.255.255) && !(ip.dst >= 192.168.0.0 && ip.dst <= 192.168.255.255) |
General Utility Filters for OT Engineers
These filters help you isolate traffic by IP, MAC, stream, or port, especially useful during incident response or traffic audits:
| Use Case | Wireshark Filter |
|---|---|
| Follow Modbus stream | tcp.stream eq <stream number> |
| Filter by IP | ip.addr == <IP> |
| Filter by MAC address | eth.addr == <MAC> |
| Conversations by port | tcp.port == <port> |
Modbus Protocol Filters
Modbus is one of the most commonly used protocols in industrial control systems. Use these filters to track Modbus activity:
| Filter Purpose | Wireshark Filter |
|---|---|
| Show Modbus traffic | modbus |
| TCP port 502 traffic | tcp.port == 502 |
| Write single coil | modbus.func_code == 5 |
| Write multiple registers | modbus.func_code == 16 |
| Device identification | modbus.func_code == 43 |
Filters for Other OT/ICS Protocols
OT networks may use a range of protocols depending on the vendor. Here are key filters:
| Protocol | Wireshark Filter |
|---|---|
| S7 (Siemens) | tcp.port == 102 / s7comm |
| DNP3 | tcp.port == 20000 / dnp3 |
| EtherNet/IP | tcp.port == 44818 / enip |
| Profinet | eth.type == 0x8892 |
| BACnet/IP | udp.port == 47808 / bacnet |
Why Use These Filters for Cybersecurity?
Cyberattacks on industrial environments often mimic normal behavior. With Wireshark filters, you can:
-
Detect command injections
-
Identify unauthorized engineering stations
-
Spot traffic going to the public internet
-
Audit device configurations
-
Visualize attack patterns using packet coloring and follow streams
Best Practices for Using Wireshark in OT Environments
| Practice | Tip |
|---|---|
| Capture traffic during normal operations | Helps set a performance baseline |
| Use display filters for specific protocols | Avoids overload from irrelevant data |
| Label known devices and IPs | Easier to spot anomalies |
| Store PCAP files securely | Packet captures may contain sensitive ICS commands |
| Integrate with IDS tools | Use Wireshark in combination with Suricata or Snort for deeper analysis |
Conclusion
Wireshark is a powerful asset for OT cybersecurity professionals. Whether you’re tracking Modbus write operations or spotting unusual TCP sessions, using the right filters can mean the difference between a secure system and a compromised one.
By leveraging these ready-to-use display filters, you’ll be better equipped to monitor, investigate, and respond to threats in industrial control environments.
FAQs
What is Wireshark used for in OT cybersecurity?
Wireshark helps monitor, analyze, and troubleshoot OT network traffic to detect threats and ensure secure operations in ICS environments.
Can Wireshark analyze Modbus traffic?
Yes, Wireshark includes built-in support for Modbus and can decode Modbus functions like reading registers or writing coils.
What filter is used to detect Modbus write commands?
Use modbus.func_code == 5 for single coil writes or modbus.func_code == 16 for multiple register writes.
How can I detect port scanning in OT networks?
Use the filter tcp.flags.syn == 1 && tcp.flags.ack == 0 to identify potential scanning attempts.
Which filter shows only Modbus traffic?
Use modbus to display all captured Modbus protocol communications.
Can I use Wireshark to track ICS protocols like S7 or DNP3?
Yes, you can use filters like tcp.port == 102 / s7comm for S7 or tcp.port == 20000 / dnp3 for DNP3.
What filter shows ARP responses for mapping IP to MAC?
Use arp.opcode == 2 to display ARP responses mapping IPs to MAC addresses.
How to monitor DHCP requests in Wireshark?
Use bootp.option.type == 53 to see DHCP Discover or Request packets.
How can I detect malformed packets in ICS traffic?
Use tcp.analysis.flags && (tcp.len == 0 || ip.len < 20) to detect malformed packets.
Is Wireshark safe to use on a live OT network?
It should be used in passive mode (no packet injection) and preferably with mirrored traffic for safety.
How to follow a Modbus stream in Wireshark?
Use tcp.stream eq <number> to follow a Modbus session from start to finish.
Can Wireshark detect tunneling activity in OT?
Yes, use tcp.analysis.bytes_in_flight > 10000 to spot long sessions used for tunneling.
What filter detects ICS devices communicating with the internet?
Use:
How to analyze Ethernet/IP traffic in Wireshark?
Use tcp.port == 44818 / enip to capture EtherNet/IP protocol traffic.
Which filter shows all traffic to port 502?
Use tcp.port == 502 to analyze Modbus TCP traffic.
Can Wireshark detect Profinet packets?
Yes, use eth.type == 0x8892 to filter for Profinet traffic.
How do I filter traffic from a specific IP?
Use ip.addr == <IP> to isolate traffic from or to a specific IP address.
How to monitor conversations by port?
Use tcp.port == <port> to view all traffic using a specific port.
How to spot Modbus on non-standard ports?
Use modbus && tcp.port != 502 to detect unauthorized Modbus traffic.
What is the filter for BACnet traffic in Wireshark?
Use udp.port == 47808 / bacnet for BACnet/IP monitoring.
Can Wireshark detect long TCP sessions in OT?
Yes, use tcp.analysis.bytes_in_flight > 10000 to identify such sessions.
Which OT protocols can Wireshark decode natively?
It supports Modbus, DNP3, S7comm, BACnet/IP, Profinet, and more.
What are the risks of ignoring suspicious packets?
Undetected packets can be part of malware payloads, lateral movement, or ICS disruption tactics.
Is Wireshark useful for incident response in OT networks?
Absolutely. It helps reconstruct packet-level details and timelines during forensic investigations.
How can I ensure I'm not capturing sensitive data?
Limit captures to specific protocols or addresses, and ensure PCAP files are securely stored.
Can Wireshark help meet compliance in critical infrastructure?
Yes, it's often used in conjunction with IDS and logging to satisfy regulatory audit requirements.
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
