For Modbus you can determine which is the client and which is the server by the source IP's of the requests and responses. A server is more than likely a PLC and an HMI more than likely a client. Some items, e.g. a SCADA system could be both, as a client to a PLC and as a server for handoff to other items, e.g. an HMI.
There is nothing else in the Modbus protocol that would allow you to determine specific about the devices, although some servers might map data such as hardware\software versions to specific registers, but that would be specific for that device and its configuration. Clients won't be sending anything that might identify them.
Other protocols, e.g. DNP3, do have protocol specific commands to obtain device information such as group 0 Device Attributes, but unless a master station issues a request for these values you won't see them in the traffic.
Asked: 2021-04-20 15:59:11 +0000
Seen: 886 times
Last updated: Apr 20 '21
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Depends entirely on the protocols being used and possibly the messages exchanged by the protocol. What protocol do you have in mind?
I am thinking about industrial protocols, for example modbus. I would like to know if for example it is a PLC or HMI
These are commercial products (The ICS Detection Challenge took place at S4x18 and S4x19) with some talk about open source tools in the S4x19 ICS Detection Challenge Results.
There are a few "community tools" available from Dragos.
Presumably "OT" means "operational technology".
In this case yes, the part of the network involved in the (usually) industrial process that is unfortunately sometimes connected to the IT network and occasionally even worse, part of the same. In an ideal world there would be an airgap.