Modbus is an industrial protocol used to communicate with automation devices. The initial protocol version was implemented over a serial layer, whereas the current version named ModbusTCP is a variant of the original protocol running over TCP/IP.
This blog post describes how ntopng monitors ModbusTCP traffic: it detects Modbus flows via nDPI and dissects them building an internal flow representation. For each flow, ntopng keeps track of the function codes uses, exceptions and registers accessed.
It also reports the transitions between function Ids and depicts them graphically: the more transitions the ticker is the line of the graph.
ntopng’s behavioural checks have been extended in order to supervise Modbus communication and detect anomalies.
These checks trigger an alert when a flow:
- Reports too many (configurable) exceptions that usually indicate issues.
- Requests an unexpected function code. The network administrator can list the allowed function codes, triggering an alert for other function codes that have been observed but not configured.
- An unexpected function code transition is reported.
As with IEC 60870-5-104, in ntopng preferences it is possible to specify for how long traditions of a ModbusTCP flows are observed.
During the learning period, ntop keeps track of the transitions and stores them internally. Past the specified learning time, ntopng triggers an alert whenever an invalid transition is observed.
Modbus support is currently implemented in the ntopng (dev) version and it will be included in the next stable version. You can refer to the ntopng user’s guide for details.