What is Wireshark?
Wireshark is a powerful, free protocol analyser with which you can capture and analyse network traffic in real time. It supports hundreds of network protocols, including those widely used in industrial automation.
In OT networks, Wireshark is an essential tool for troubleshooting, protocol analysis and security investigation, for example with Modbus TCP, ProfiNET, OPC UA or ARP issues.
🧠 How does Wireshark work?
- Wireshark listens to a network interface and captures all packets (e.g. from a SPAN port or TAP)
- Packets are displayed in three sections:
- Packet list (with time, source, destination, protocol)
- Packet details (structured according to the OSI model)
- Packet bytes (hex and ASCII)
-
Filters such as
ip.addr == 192.168.0.10ormodbusenable targeted analysis -
Support for export to
.pcap,.csv,.jsonand partial analysis
Wireshark runs on Windows, Linux and macOS and supports both Ethernet and wireless interfaces.
🏭 Application of Wireshark in OT networks
- Analysis of communication between PLCs and HMIs or SCADA
- Troubleshooting network problems (e.g. incorrect BOOTP/DHCP behaviour, ARP conflicts)
- Inspecting Modbus TCP traffic to understand error codes or timeouts
- Verifying time synchronisation via NTP or PTP
- Detecting unauthorised or abnormal devices (via MAC address and SNMP)
- Supporting cybersecurity investigations, such as detecting ARP spoofing or port scanning
Wireshark is often the first tool reached for during OT network incidents.
🔍 Wireshark vs. tcpdump
| Aspect | Wireshark | tcpdump (CLI tool) |
|---|---|---|
| Interface | Graphical (GUI) | Command line |
| Ease of use | Intuitive, visual | Requires CLI knowledge |
| Filtering | Advanced (display and capture filters) | Also powerful, but without visualisation |
| Use in OT | Yes – widely used | Yes – particularly on headless systems |
🔐 Security aspects
- Only use Wireshark on controlled and authorised networks
- Be careful with sensitive data — captured traffic can contain login credentials or PLC commands
- Wireshark itself does not disrupt traffic, but its use on SPAN ports or TAPs must be carefully managed
- Combine with SIEM for forensic analysis after incidents
- Log access to capture files and remove sensitive captures after analysis
In production networks, it is advisable to use Wireshark only via a read-only switch port or TAP.
📌 In summary
Wireshark is an indispensable diagnostic tool in industrial networks, suited to both maintenance and security investigations. Through its broad protocol support and visual filters, it is ideal for analysing communication between industrial components.