Passive Scanning in Modbus Networks

  • Jesus Gonzalez
  • Mauricio Papa
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 253)

This paper describes the design and implementation of a passive scanner for Modbus networks. The tool integrates packet parsing and passive scanning functionality to interpret Modbus transactions and provide accurate network representations. In particular, the scanner monitors Modbus messages to maintain and update state table entries associated with field devices. Entries in the state tables record important information including function codes, transaction state, memory access and memory contents. The performance and reporting capabilities of the passive scanner make it an attractive network troubleshooting and security tool for process control environments.

Keywords: Process control systems, Modbus protocol, passive network scanning


Request Message Process Control System Reply Message Function Code Protocol Data Unit 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. American Petroleum Institute, API 1164: SCADA Security, Washington, DC, 2004.Google Scholar
  2. [2]
    S. Boyer, SCADA: Supervisory Control and Data Acquisition, Instrumen- tation, Systems and Automation Society, Research Triangle Park, North Carolina, 2004.Google Scholar
  3. [3]
    British Columbia Institute of Technology, Good Practice Guide on Fire- wall Deployment for SCADA and Process Control Networks, National Infrastructure Security Co-ordination Centre, London, United Kingdom, 2005.Google Scholar
  4. [4]
    E. Byres, J. Carter, A. Elramly and D. Hoffman, Worlds in collision: Eth- ernet on the plant floor, Proceedings of the ISA Emerging Technologies Conference, 2002.Google Scholar
  5. [5]
    Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99. 00. 01-2004), Research Triangle Park, North Carolina, 2004.Google Scholar
  6. [6]
    K. Mandia, C. Prosise and M. Pepe, Incident Response and Computer Forensics, McGraw-Hill/Osborne, Emeryville, California, 2003.Google Scholar
  7. Modbus IDA, MODBUS Application Protocol Specification v1. 1a, North Grafton, Massachusetts (www.modbus. org/specs. php), June 4, 2004.
  8. Modbus IDA, MODBUS Messaging on TCP/IP Implementation Guide v1. 0a, North Grafton, Massachusetts (www.modbus. org/specs. php), June 4, 2004.
  9. Modbus IDA, Modbus TCP is world leader in new ARC study, North Grafton, Massachusetts, (www.modbus. org/docs/Modbus ARC study May 2005.pdf), 2005.
  10. Modbus. org, MODBUS over Serial Line Specification and Implementation Guide v1. 0, North Grafton, Massachusetts (, February 12, 2002.
  11. [11]
    Modicon, Inc., MODBUS Protocol Reference Guide, Document PI-MBUS-300 Rev. J, North Andover, Massachusetts, 1996.Google Scholar
  12. [12]
    National Institute of Standards and Technology, System Protection Profile -Industrial Control Systems v1. 0, Gaithersburg, Maryland, 2004.CrossRefGoogle Scholar
  13. [13]
    S. Northcutt and J. Novak, Network Intrusion Detection: An Analyst’s Handbook, New Riders, Indianapolis, Indiana, 2002.Google Scholar
  14. [14]
    S. Northcutt, L. Zeltser, S. Winters, K. Frederick and R. Ritchey, Inside Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers and Intrusion Detection Systems, New Riders, Indiana, 2002.Google Scholar
  15. [15]
    M. Smith and M. Copps, DNP3 V3. 00 Data Object Library Version 0. 02, DNP Users Group, Pasadena, California, 1993.Google Scholar
  16. [16]
    M. Smith and J. McFadyen, DNP V3. 00 Data Link Layer Protocol De- scription, DNP Users Group, Pasadena, California, 2000.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Jesus Gonzalez
    • 1
  • Mauricio Papa
    • 2
  1. 1.CITGO Petroleum in HoustonHoustonUSA
  2. 2.Computer ScienceUniversity of TulsaTulsaUSA

Personalised recommendations