Skip to content

Latest commit

 

History

History
1194 lines (1040 loc) · 69.3 KB

README.md

File metadata and controls

1194 lines (1040 loc) · 69.3 KB

Awesome Industrial Protocols

Compilation of industrial network protocols resources focusing on offensive security.

Awesome Industrial Protocols

In this repository:

  • You are currently viewing the Awesome Industrial Protocols page.
  • Detailed pages for protocols are available in protocols.
  • All data is stored in MongoDB databases in db.
  • Turn/IP (in srcs) is a handy tool to manipulate this data, generate the awesome list and protocol pages, and simplify the research and test process on industrial protocols.

Note: Sometimes it is unclear whether a name refers to a protocol, a standard, or a complete environment, or if a protocol on a serial link can be accessed in any way from the Ethernet link (through a dedicated implementation or a gateway). I apologize for any confusion, and of course, I welcome any remarks or contributions.

Contents

Currently, there are 65 protocols with a total of 710 resources.

ANSI-C12.22

Name ANSI-C12.22
Alias ANSI-C12.19, C1222
Description Protocol to transport ANSI C12.19 tables on electric meter utility networks
Keywords Smart Grid, Meter
Port 1153/tcp, 1153/udp
Specifications RFC 6142, ANSI C12.22 specification, ANSI C12.19 Specification
Wireshark dissector packet-c1222.c
Detailed page ansi-c1222.md

Documentations

Articles

Conferences

ATG

Name ATG
Alias TLS4, TLS-350, TLS-450
Description Veeder Root's Automatic Tank Gauge (ATG) protocol
Keywords Gas, Guardian AST
Port 10001/tcp
Specifications Veeder Root serial interface manual for TLS-450, Veeder Root serial interface manual for TLS-350
Nmap script(s) atg-info.nse
Detailed page atg.md

Documentations

Articles

Conferences

Papers

Tools

  • GasPot - Honeypot simulating a Veeder Root Guardian AST

BACnet/IP

Name BACnet/IP
Alias BACnet
Description Building automation and control network communication protocol for HVAC systems
Keywords HVAC
Port 47808/udp
Access Paid
Specifications BACnet/IP Specification
Nmap script(s) bacnet-info.nse
Wireshark dissector packet-bacnet.c
Example Pcap(s) ICS-pcap BACnet, S4x15 ICS Village PCAP Files
Detailed page bacnetip.md

Articles

Conferences

Tools

BSAP

Name BSAP
Alias BSAP/IP, BSAP-IP
Description Emerson's Bristol Synchronous Asynchonous Protocol
Keywords Emerson, Bristol
Port 1234/udp
Access Free
Specifications BSAP Communications Application Programmer's Reference
Detailed page bsap.md

Conferences

CAN

Name CAN
Alias CANbus, CANopen, CAN-FD
Description Communication protocol enabling data exchange between electronic components in vehicles
Keywords CANbus
Specifications ISO-11898
Wireshark dissector packet-canopen.c
Scapy layer can.py
Detailed page can.md

Documentations

Articles

Conferences

Papers

Tools

  • cantools - Python library to play with CAN databases & messages
  • opendbc - A list of CAN databases retrieved from reverse-engineered cars
  • python-can - Python library to plug to various CAN connectors

CC-Link IE

Name CC-Link IE
Alias CSP+, CC-Link, CC-Link IE TSN, CC-Link IE Control, CC-Link IE Field, CC-Link IE Field Basic
Description Industrial Ethernet communication network developed by the CC-Link Partner Association (CLPA)
Keywords Mitsubishi, CLPA
Access Free
Specifications CSP+ specification
Detailed page cc-link-ie.md

Documentations

CIP

Name CIP
Alias Common Industrial Protocol
Description ODVA's protocol suite for industrial automation communication
Keywords ODVA, Ethernet/IP, DeviceNet, ControlNet, CompoNet
Wireshark dissector packet-cip.c
Example Pcap(s) S4x15 ICS Village PCAP Files
Detailed page cip.md

Documentations

Conferences

CODESYS

Name CODESYS
Description Programmable logic controller (PLC) development, communication protocol and runtime environment.
Port 1200/tcp
Nmap script(s) codesys-v2-discover.nse
Detailed page codesys.md

Conferences

Crimson

Name Crimson
Alias Cr3
Description Red Lion's programming protocol
Port 789/tcp
Nmap script(s) cr3-fingerprint.nse
Wireshark dissector cr3.lua
Detailed page crimson.md

Articles

CSPv4

Name CSPv4
Alias AB CSPv4, AB/Ethernet
Description Allen-Bradley's protocol for industrial Ethernet communication
Keywords Allen-Bradley, PCCC
Port 2222/tcp
Nmap script(s) cspv4-info.nse
Detailed page cspv4.md

DeviceNet

Name DeviceNet
Description CAN-based industrial automation network for device-level communication
Keywords CAN, CIP
Wireshark dissector packet-devicenet.c
Detailed page devicenet.md

Documentations

Articles

DF1

Name DF1
Alias DF-1
Description Allen-Bradley serial communication protocol for industrial automation devices
Keywords PCCC, Allen-Bradley
Access Free
Specifications DF1 specification
Detailed page df1.md

Articles

Tools

  • abdf1 - AB DF1 Protocol RS232 driver for Micrologix, SLC500, PLC 5
  • Df1 - Df1 protocol for Allen-Bradley PLC

DICOM

Name DICOM
Alias DCM
Description Communication and management of medical imaging information
Keywords Radiography, Medical
Port 104/tcp
Access Free
Specifications DICOM Standard
Nmap script(s) dicom-ping.nse
Wireshark dissector packet-dcm.c
Detailed page dicom.md

Conferences

Tools

  • DCMTK - DICOM ToolKit
  • dicom-server - Microsoft's OSS Implementation of DICOMweb standard
  • pydicom - Python package to read, modify and write DICOM files

DNP3

Name DNP3
Alias Distributed Network Protocol
Description Industrial communication protocol for remote monitoring and control of automation systems
Keywords Power grid, Water
Port 20000/tcp, 20000/udp
Access Paid
Specifications IEEE 1815-2012
Security Optional authentication, optional encryption with TLS
Nmap script(s) dnp3-info.nse
Wireshark dissector packet-dnp.c
Example Pcap(s) ICS-pcap DNP3
Detailed page dnp3.md

Conferences

Tools

  • dnp3-simulator - .NET DNP3 simulator with GUI
  • FreyrSCADA DNP3 - DNP3 Protocol - Outstation Server and Client Master Simulator
  • gec/dnp3 - Open source Distributed Network Protocol
  • gec/dnp3slavesim - Parallel dnp3 slave simulator
  • opendnp3 - DNP3 (IEEE-1815) protocol stack. Modern C++ with bindings for .NET and Java
  • Step Function I/O DNP3 - Rust implementation of DNP3 (IEEE 1815) with idiomatic bindings for C, .NET, C++, and Java

Ether-S-I/O

Name Ether-S-I/O
Alias EtherSIO, ESIO
Description Proprietary protocol for Saia PCD controller I/O communication
Keywords SAIA
Port 6060/udp
Wireshark dissector packet-esio.c
Example Pcap(s) ICS-pcap Ether-S-I/O
Detailed page ether-s-io.md

EtherCAT

Name EtherCAT
Alias ECATF, ECAT
Description Real-time industrial Ethernet communication protocol for automation systems
Port 34980/udp
Scapy layer ethercat.py
Example Pcap(s) ICS-pcap EtherCAT
Detailed page ethercat.md

Articles

Ethernet/IP

Name Ethernet/IP
Alias Enip
Description Ethernet-based industrial communication protocol for industrial automation systems
Keywords CIP
Port 44818/tcp, 2222/udp
Access Paid
Specifications Ethernet/IP Specifications
Nmap script(s) enip-info.nse, enip-enumerate.nse
Wireshark dissector packet-enip.c
Scapy layer enipTCP.py
Example Pcap(s) ICS-pcap Ethernet/IP, ICS-pcap EIP
Detailed page ethernetip.md

Documentations

Articles

Conferences

Tools

  • CIPster - Ethernet/IP (Common Industrial Protocol) stack in C++
  • cpppo - Communications Protocol Python Parser and Originator -- EtherNet/IP CIP
  • enip-stack-detector - EtherNet/IP & CIP Stack Detector
  • OpENer - EtherNet/IP stack for I/O adapter devices
  • pycomm3 - A Python Ethernet/IP library for communicating with Allen-Bradley PLCs
  • scapy-cip-enip - Ethernet/IP dissectors for Scapy

ETP

Name ETP
Description Energistics' protocol for interoperable oil and gas data exchange
Keywords Energetics
Detailed page etp.md

FF-HSE

Name FF-HSE
Alias Foundation Fieldbus HSE, FF
Description Ethernet-based communication for industrial process automation devices
Port 1089/tcp, 1090/tcp, 1091/tcp, 1089/udp, 1090/udp, 1091/udp
Wireshark dissector packet-ff.c
Detailed page ff-hse.md

FINS

Name FINS
Alias OMRON
Description Omron's industrial communication protocol for automation systems
Port 9600/udp
Nmap script(s) omrontcp-info.nse, omronudp-info.nse
Wireshark dissector packet-omron-fins.c
Detailed page fins.md

Conferences

FL-net

Name FL-net
Alias Factory LAN, OPCN-2
Description Japan Electrical Manufacturers' Association's industrial-use open network
Keywords JEMA
Port 55000/udp, 55001/udp, 55002/udp, 55003/udp
Access Free
Specifications FL-net specification
Detailed page fl-net.md

FOCAS

Name FOCAS
Description Standard protocol for collecting data from Fanuc CNC machines
Keywords Fanuc, CNC
Port 8193/tcp
Detailed page focas.md

Articles

GE-SRTP

Name GE-SRTP
Alias Fanuc
Description General Electric's protocol for communication between GE devices and SCADA
Port 18245/tcp
Detailed page ge-srtp.md

GVCP

Name GVCP
Description GigE Vision communication protocol for industrial cameras
Keywords GigE Vision, Camera
Port 3956/udp
Specifications GigE Vision Standard
Wireshark dissector packet-gvcp.c
Detailed page gvcp.md

Documentations

  • GVCP packets - Details about GVCP packets from Aravis' documentation

Tools

  • GigeVision - Simple GigeVision implementation with GVSP and GVSP

GVSP

Name GVSP
Description GigE Vision stream protocol for industrial cameras
Keywords GigE Vision, Camera
Port 20202/udp
Specifications GigE Vision Standard
Wireshark dissector packet-gvsp.c
Detailed page gvsp.md

Tools

  • GigeVision - Simple GigeVision implementation with GVSP and GVSP

HART-IP

Name HART-IP
Alias HART, WirelessHART
Description IP-based communication protocol for HART (ICS) data transmission
Wireshark dissector packet-hartip.c
Example Pcap(s) ICS-pcap HART-IP
Detailed page hart-ip.md

Articles

Conferences

HICP

Name HICP
Alias SHICP
Description HMS IP Configuration Protocol
Keywords Anybus
Port 3250/udp
Wireshark dissector packet-hicp.c, packet-shicp.c
Scapy layer hicp.py
Detailed page hicp.md

HL7

Name HL7
Description Standard for healthcare data exchange and interoperability
Wireshark dissector packet-hl7.c
Detailed page hl7.md

Conferences

ICCP

Name ICCP
Alias IEC 60870-6, TASE.2
Description Real-time data exchange between power system control centers
Keywords Power
Port 102/tcp
Access Paid
Specifications ICCP (TASE.2) specification
Detailed page iccp.md

Conferences

IEC-60870-5-104

Name IEC-60870-5-104
Alias IEC-104
Description Grid communication protocol for control and monitoring
Port 2404/tcp
Access Paid
Specifications IEC-60870-5-104 Specification
Nmap script(s) iec-identify.nse
Wireshark dissector packet-iec104.c
Scapy layer iec104.py
Example Pcap(s) ICS-pcap IEC-60870-5-104, Industroyer2 pcap samples
Detailed page iec-60870-5-104.md

Conferences

Papers

Tools

IEC-61850

Name IEC-61850
Alias IEC-61850/GOOSE, IEC-61850/GSSE, IEC-61850/SV
Description Communication networks and systems for power utility automation
Keywords Power grid
Access Paid
Specifications IEC 61850 Specification
Wireshark dissector packet-goose.c, packet-sv.c
Detailed page iec-61850.md

Conferences

Tools

  • libiec61850 - Open-source library for the IEC 61850 protocols

IEEE-C37.118

Name IEEE-C37.118
Alias C37.118, Synchrophasor, Synphasor
Description Standard for synchrophasor data exchange in power systems
Keywords Power
Wireshark dissector packet-synphasor.c
Detailed page ieee-c37118.md

Tools

  • OpenPDC - Open Source Phasor Data Concentrator
  • PyMU - Library based on the C37.118.2-2011 standard used for accessing PMU data in real-time

ISA100.11a

Name ISA100.11a
Description Wireless standard for industrial automation and control systems
Detailed page isa10011a.md

Conferences

KNXnet/IP

Name KNXnet/IP
Alias KNX, KNX/IP, Konnex
Description Protocol for home and building automation systems
Keywords BMS, BAS, Building
Port 3671/udp
Access Free
Specifications KNXnet/IP Specifications
Security Optional, Security extensions available
Nmap script(s) knx-gateway-discover.nse, knx-gateway-info.nse
Wireshark dissector packet-knxip.c
Scapy layer knx.py
Detailed page knxnetip.md

Documentations

Conferences

Papers

Tools

  • BOF - Testing framework for industrial protocols
  • calimero - Lightweight KNX/IP framework in Java
  • ETS - Engineering Tool Software for KNXnet/IP (ETS Demo is free)
  • KNX Virtual - Windows-based application simulating a KNX installation
  • knxd - KNXd service
  • KNXmap - KNXnet/IP scanning and auditing tool
  • Unpwning A Building - Peter Panholzer @ S4x22 (2022)
  • XKNX - A KNX library written in Python

LIS

Name LIS
Alias LIS01-A2, LIS02-A2
Description Protocol to transfer messages between clinical laboratory instruments and computer systems.
Keywords CLSI, Healthcare, Medical
Port 1520
Access Paid
Specifications CLSI LIS01-A1 Specifications
Detailed page lis.md

LoRaWAN

Name LoRaWAN
Alias LoRa
Description Long-range IoT communication protocol with low power requirements
Keywords Wireless
Access Free
Specifications LoRaWAN specification
Wireshark dissector packet-lorawan.c
Detailed page lorawan.md

Conferences

Tools

LSV/2

Name LSV/2
Alias LSV2
Description Communication protocol for Computer Numerical Control
Keywords CNC, Heidenhain
Access Paid
Detailed page lsv2.md

Documentations

Tools

  • pyLSV2 - A pure Python3 implementation of the LSV2 protocol

M-Bus

Name M-Bus
Alias Meter-Bus, EN13757
Description Communication protocol for utility metering devices
Access The old specification is free, not the current one
Specifications M-Bus specification
Detailed page m-bus.md

Conferences

MDLC

Name MDLC
Description Motorola Data Link Control protocol
Keywords Motorola
Detailed page mdlc.md

Conferences

MELSEC

Name MELSEC
Alias MEL-SEC, MELSEC-Q
Description Communication protocol for Mitsubishi Electric's MELSEC series of PLCs
Keywords Mitsubishi, MELSOFT
Port 5007/tcp, 5006/udp
Nmap script(s) melsecq-discover.nse, melsecq-discover-udp.nse
Detailed page melsec.md

Conferences

Modbus

Name Modbus
Alias Modbus TCP
Description Widely used industrial communication protocol
Port 502/tcp
Specifications Modbus TCP Specification
Nmap script(s) modbus-discover.nse, modicon-info.nse
Wireshark dissector packet-mbtcp.c
Scapy layer modbus.py
Example Pcap(s) ICS-pcap Modbus, S4x15 ICS Village PCAP Files
Detailed page modbus.md

Documentations

Articles

Conferences

Tools

  • ctmodbus - A tool to interact with the Modbus protocol
  • Malmod - Scripts to attack Modicon M340 via UMAS
  • mbtget - A simple Modbus/TCP client in Perl
  • PyModbus - A full modbus protocol written in python

MQTT

Name MQTT
Description Publish-suscribe network protocol for message queue
Keywords Telemetry
Nmap script(s) mqtt-suscribe.nse
Wireshark dissector packet-mqtt.c
Scapy layer mqtt.py
Detailed page mqtt.md

Articles

Conferences

MTConnect

Name MTConnect
Alias ANSI/MTC1.4-2018
Description Protocol for data exchange between manufacturing equipment, devices, and software applications
Keywords CNC
Port 7878/tcp
Detailed page mtconnect.md

Documentations

Articles

Conferences

Niagara Fox

Name Niagara Fox
Alias Fox
Description Communication protocol used by Tridium Niagara devices
Keywords Tridium
Port 1911/tcp, 3011/tcp, 4911/tcp, 5011/tcp
Nmap script(s) fox-info.nse
Detailed page niagara-fox.md

Tools

  • foxdissector - Wireshark dissector for the Niagara Fox protocol in Lua

OPC-DA

Name OPC-DA
Alias OPCDA
Description Legacy protocol for real-time data exchange in industrial systems
Scapy layer opc_da.py
Detailed page opc-da.md

Conferences

Papers

Tools

OPC-UA

Name OPC-UA
Alias OPCUA
Description Open communication standard for industrial automation and control
Port 4840/tcp, 4840/udp, 4843/tcp (TLS)
Specifications OPC UA online reference
Wireshark dissector OPC-UA Plugin
Detailed page opc-ua.md

Articles

Conferences

Papers

Tools

  • freeopcua - Open Source C++ OPC-UA Server and Client Library
  • OpalOPC - OPC UA vulnerability and misconfiguration scanner
  • opcua-asyncio - Asyncio-based asynchronous OPC UA client and server based on python-opcua
  • opcua-client-gui - Simple OPC-UA GUI client
  • python-opcua - OPC UA Client and Server in Python
  • UA-.NETStandard - Official OPC UA .NET Standard Stack from the OPC Foundation

PC-WORX

Name PC-WORX
Description Software suite with proprietary protocol for Phoenix Contact PLCs
Keywords Phoenix Contact
Port 1962/tcp
Nmap script(s) pcworx-info.nse
Detailed page pc-worx.md

PCCC

Name PCCC
Alias AB/PCCC
Description Legacy command/response protocol for Allen-Bradley PLC communication
Keywords Allen-Bradley
Detailed page pccc.md

Articles

POWERLINK

Name POWERLINK
Alias Ethernet PowerLink, EPL
Description Real-time Ethernet protocol for industrial automation and control
Port Ethernet
Wireshark dissector packet-epl.c
Example Pcap(s) ICS-pcap POWERLINK
Detailed page powerlink.md

Articles

Tools

ProConOs

Name ProConOs
Description Real-time operating system with proprietary protocol for industrial automation and control
Port 20547/tcp
Nmap script(s) proconos-info.nse
Detailed page proconos.md

Profinet-DCP

Name Profinet-DCP
Alias PNDCP
Description Device identification, configuration, and network management protocol
Port Ethernet
Scapy layer pnio_dcp.py
Detailed page profinet-dcp.md

Profinet-IO

Name Profinet-IO
Alias PNIO
Description Real-time communication between controllers and I/O devices
Port 34962/udp, 34963/udp, 34964/udp
Scapy layer pnio.py
Detailed page profinet-io.md

Articles

RTPS

Name RTPS
Description Real-Time Publish-Suscribe protocol for Data Distribution Systems (DDS)
Keywords RTI, DDS
Port 7412/udp
Wireshark dissector packet-rtps.c
Scapy layer rtps
Detailed page rtps.md

Conferences

S-Bus

Name S-Bus
Alias Ether-S-Bus, SAIA S-Bus
Description SAIA's communication protocol for building automation
Keywords SAIA
Access Free
Wireshark dissector packet-sbus.c
Example Pcap(s) ICS-pcap Ether-S-Bus
Detailed page s-bus.md

Conferences

S7comm

Name S7comm
Alias S7, S7commPlus
Description Communication protocol for Siemens S7 PLCs
Port 102/tcp
Nmap script(s) s7-info.nse, s7-enumerate.nse
Wireshark dissector packet-s7comm.c
Example Pcap(s) ICS-pcap S7
Detailed page s7comm.md

Articles

Conferences

Tools

  • python-snap7 - A Python wrapper for the snap7 PLC communication library
  • s7-pcaps - Traffic captures between STEP7/WinCC and S7-300/S7-400 PLCs
  • s7scan - Scan networks to gather basic information about Siemens PLCs
  • Snap7 - Step7 Open Source Ethernet Communication Suite

SECS/GEM

Name SECS/GEM
Alias SECS, SECS-I, SECS-II, HSMS
Description Semiconductor equipment communication standard with generic equipment model
Keywords Semiconductor, MES
Port 5000/tcp (HSMS)
Detailed page secsgem.md

SERCOS-III

Name SERCOS-III
Alias SERCOS
Description IEC standard universal bus for Ethernet-based real-time communication
Wireshark dissector packet-sercosiii.c
Detailed page sercos-iii.md

SLMP

Name SLMP
Alias Seamless Message Protocol
Description CC-Link's messaging protocol for industrial automation communication
Keywords Mitsubishi, CC-Link, CLPA
Access Free
Specifications SLMP specification
Detailed page slmp.md

Tools

SOME/IP

Name SOME/IP
Description Automotive Ethernet protocol for ECU communication over IP networks
Keywords Automotive, ECU
Port 30490
Wireshark dissector packet-someip.c
Detailed page someip.md

Documentations

  • SOME-IP.com - Main website with resources about SOME/IP

Conferences

TriStation

Name TriStation
Alias Triconex TriStation
Description Triconex's proprietary protocol for safety system communication
Keywords Triconex, TRITON
Wireshark dissector TriStation.lua
Detailed page tristation.md

Articles

Conferences

Tools

  • tricotools - Triconex TriStation utilities and tools

TSAA

Name TSAA
Description Messaging protocol to read and write data to Triconex controllers
Keywords Triconex
Detailed page tsaa.md

Documentations

UMAS

Name UMAS
Description Schneider Electric's proprietary protocol for communication systems
Nmap script(s) modicon-info.nse
Wireshark dissector modbus-umas-schneider.lua
Detailed page umas.md

Articles

Conferences

Tools

  • Apache PLC4PY UMAS Driver - UMAS protocol implementation in Python including ability to read the data dictionary (2024)
  • Malmod - Scripts to attack Modicon M340 via UMAS

WITS

Name WITS
Alias WITS0, WITSML
Description Real-time drilling data transfer standard in oil and gas
Keywords Wellsite, Drilling, Geology
Detailed page wits.md

XCP

Name XCP
Alias Universal Measurement and Calibration Protocol, ASAM MCD-1 XCP
Description Interface usually working on top of other protocols (such as USB, CAN/CAN-FD, FlexRay, Ethernet, SXL) to read and write the memory of an ECU
Keywords CANbus, Automotive, XCP, ASAM MCD-1 XCP
Access Paid
Specifications XCP Book v1.5, ASAM MCD-1 XCP specifications
Scapy layer automotive/xcp
Detailed page xcp.md

Documentations

Tools

  • a2lparser - Python A2L parser and XML exporter
  • AutoFuze - Automotive Fuzzing tool providing XCP implementation over USB and CAN
  • xcpdump - ASAM XCP sniffer for SocketCAN

ZigBee

Name ZigBee
Alias ZBee
Description Wireless communication protocol for low-power IoT devices.
Wireshark dissector packet-zbee-nwk.c
Scapy layer zigbee.py
Detailed page zigbee.md

Conferences

Papers

Tools

  • KillerBee - IEEE 802.15.4/ZigBee Security Research Toolkit
  • Mirage - Framework dedicated to the security analysis of wireless communications

Although the resources added to this page are always manually checked, not all resources linked here (especially tools) have been tested. Please remain careful when using them and don't run untrusted code on your installation.

awesome-industrial-protocols is licensed under CC0. Turn/IP is licensed under GPL-v3.