It is very hard to protect your control systems if you don’t know what to protect. Even though you may have idea about what you have, the visibility problem goes beyond asset management issues. You need to have visibility not only in OS, firmware, software but also in network communications in the environment. On top of that you cannot use regular IT tools i.e. nmap to scan your control systems safely. You need to use passive methodologies that are safe for the control environments.


GRASSMARLIN is an open-source software tool that provides a method for discovering and cataloging Supervisory Control & Data Acquisition (SCADA) and Industrial Control System (ICS) hosts on IP-based networks. GRASSMARLIN uses a variety of sources to generate this data, including PCAP files, router and switch configuration files, CAM tables, and live network packet captures. The tool can automatically determine the available networks and generate the network topology as well as visualize the communication between hosts.

GRASSMARLIN is not an analysis tool. GRASSMARLIN exists to facilitate further analysis by a system administrator, auditor, or other individual. The focus is not on drawing conclusions from data, but on organizing large sums of data to allow people to quickly make informed decisions.

Supported Platforms

Microsoft Windows (64-bit 7, 8, and 10)
Fedora (23)
Ubuntu (14.04, 15.10, and Security Onion)
Kali 2.0
CentOS (6, 7)
Debian (8)

How To Set Up

I used Kali to install the tool. You can download debian .deb package and install it by following command:

$dpkg -i FileName.deb

After you install it you can open it


After grassmarlin starts we will see its beautiful interface:)

The Logical Graph shows Nodes for distinct IP addresses with Edges representing packets sent between them. This graph is built from packet metadata, normally provided through Pcap or Bro2Conn files.

GrassMarlin has a poweful fingerprinting function:

Let’s import some ICS pcaps. We can use File->Import File feature. You can find some examples of ICS packets at



We can group the nodes by network, country, MAC, Manufacturer, MODBUS Role etc…


We can click View->Logical Nodes Report and get the asset inventory  as a CSV file:


Grassmarlin provides a way for us to get visibility into ICS environments. We can know asset types, communication protocols, end points’ relationships etc… Next step should be analyzing this traffic in snort, or Kibana to find out any malicious activity in the network.


Leave a Reply

Your email address will not be published. Required fields are marked *