Wireshark 8 – SCADA and Industrial Control Systems Analysis and Troubleshooting

This course is designed for Networking, Engineering and Security personnel that need to develop a set of packet investigation techniques through study of the Industrial Control Systems and SCADA networking Protocols using Wireshark and other Open-Source Analysis tools. Successful completion of this course will provide these individuals with a path-way into the field of both Network and Forensics Analysis.

Format: 5 days Classroom Instruction
Start/End Times: 0830-1630
Recommended Class Size: 5-12
Audience: Intermediate
Recommended Prerequisites: Completion of Wireshark 1 and Wireshark 2 or equivalent networking and Wireshark experience


The technologies of Industrial Control Systems and SCADA architecture comprise many of the critical components of the worldwide critical infrastructure. Effective analysis and troubleshooting such advanced technologies encompasses the skills of not only capturing data, but also the ability to discern unusual patterns hidden within seemingly normal network traffic. This course will provide the student with a set of investigate and analysis techniques focusing on the use of vendor-neutral, Open-Source Tools such as Wireshark to provide insight into the following areas:

  • Specialized configuration and advanced traffic capture tips
  • Recognition, analysis and threat recognition for a many of the Industrial Control Systems currently in use in such sectors as: Energy production, Water, food and transportation technologies including IEC 60870, IEC 60870-5, IEC 60870-6 standard protocols: BACNET, CODESYS, DNP3, EIP, Ethercat, Modbus, Point Protocol, S7, HART IP, and ISO Protocol Stacks
  • Specialized ICS Analysis techniques including data traffic reconstruction and viewing techniques.

Real-World examples will be utilized throughout the course in conjunction with numerous hands-on exercises to provide field proven, practical analysis skills. Attendees will receive a student guide including numerous reference files and networking and forensics tools, as well as a library of reference documents.

Course Details:

I. Introduction to Advanced Network Analysis

  • Logistics
  • Network analysis challenges, Nomenclature, Terminology and the Next Generation Protocols

II. Collecting the Data – Data Capture

  • Recap – Data Collection
    • Configuring Wireshark 2.0
      • New features to enhance capture, USBPcap / Androiddump
      • Using capture filters to capture specific suspect traffic
    • Stealth / Silent Collection of Data – Tips & Techniques
    • WiFi Device Analysis using AirPcap Control Panel
      • New Wireless Toolbar and WiFi features – WEP / WPA / WPA2 Decryption
      • Bluetooth capture features
    • Location – How Network Infrastructure Devices Affect Network Analysis
      • Hubs, Switches, Bridges, Routers, Firewalls and CSU / DSU

III. Industrial Control Systems Architecture & Components

  • Architecture
    • Supervisory Control and Data Acquisition (SCADA)
    • Digital Control System (DCS)
    • Non-Centralized Systems (NCS)
  • Components
    • General-purpose computers
    • Programmable Logic Controller (PLC)
    • Remote Telemetry (or Terminal) Units (RTUs)
    • Special purpose systems
    • Smart sensors and actuators

IV. Analysis of Network Applications and User Traffic

  • Key ICS / SCADA Protocols
    • What’s Normal vs. Abnormal – The Role of Control System Baseline Files
    • Color Rules
    • Filtering & Pattern recognition
    • Building a Baseline Library – Where Do I go to Find Samples?
  • IEC 60870, IEC 60870-5, IEC 60870-6 standard protocols
    • ICS / SCADA Protocol Stacks
      • How do the standard TCP / IP Protocols fit in?
    • BACNET
      • Structure and Analysis
      • Structure and Analysis
    • DNP3
      • Structure and Analysis
    • EIP
      • Structure and Analysis
    • Ethercat
      • Structure and Analysis
    • Modbus
      • Structure and Analysis
    • Point Protocol
      • Structure and Analysis
    • S7
      • Structure and Analysis
    • HART IP
      • Structure and Analysis
    • ISO Protocol Stacks
      • Structure and Analysis

V. Network Analysis Methodology

  • Analyzing the Network Communication Architecture
  • Analyzing Conversations and Activities
    • Analyzing Conversations and Activities Using Expert Systems to Determine Unusual Activity
      • Determining Which Conversations Are Suspect – Analyzing Latency and Throughput to recognize and analyze suspicious user traffic
  • A Sample Advanced Network Analysis Methodology
    • 6 Steps for practical ICS / SCADA Network Analysis
      • Answering the key questions
      • A Sample Network Analysis Methodology
  • Diagraming Conversations – A Picture is worth 1024 Words
    • Related Packet and Intelligent Scrollbar features

VI. Security Concerns in the ICS / SCADA Environment – When Things go Wrong

  • Exploiting the Target & Exploits
    • Drive-by-Downloads
    • Ransomware, Crimeware and Malware – Worms & Virus’s
    • Fake Login’s & Password Hijacks
    • Overflow’s
    • Internet-Based Exploits
  • Attacks
    • Bots, Botnets, Bot Herders
    • Denial of Service (DoS / DDoS)

VII. Where do we go from Here?

  • Wireshark 0 – TCP/IP Networking Fundamentals Using Wireshark
  • Wireshark 1 – TCP/IP Network Analysis
  • Wireshark 2 – Advanced Network and Security Analysis
  • Wireshark 3 – Network Forensics Analysis
  • Wireshark 4 – Mobile Device Forensics Analysis
  • Wireshark 5 – Cloud and Internet of Things (IoT) Advanced Network Analysis
  • Wireshark 6 – VoIP Advanced Network Analysis
  • Wireshark 7 – WiFi Advanced Network Analysis
  • Wireshark 8 – SCADA and ICS Advanced Network Analysis