Document ID: CSS-WP-2026-04
Suggested Wireshark Guidelines for Telemetry Detection
Introduction
This practical guidance package accompanies the ControlSystemsSecurity.com master analysis on outbound OEM cloud telemetry risks. When vendor gateways are hardwired into industrial networks, they often stream data silently, using protocols disguised as standard web traffic or benign network polling.
This guide provides the exact Wireshark display filters, capture strategies, and protocol-level footprints required to visually isolate, log, and validate outbound telemetry channels within your operational technology (OT) environment.
1. Setting Up the Capture Point (TAP vs. SPAN)
To catch outbound telemetry before it hits perimeter security devices or encrypted cellular uplinks, you must capture the traffic at the edge switch where the OEM gateway connects.
The Golden Rule: Never run Wireshark directly on an active engineering workstation or HMI to capture network traffic. Use a dedicated hardware network TAP or configure a switch SPAN/mirror port targeting the specific port of the OEM gateway.
Capture Buffer: Ensure your capture machine has sufficient disk space. Telemetry is highly repetitive; capture for a full 24-hour cycle to catch asynchronous polling intervals, shift schedule changes, and nightly batch syncs.
2. The Core Telemetry Cheat Sheet (Display Filters)
Once you open your .pcap or .pcapng file, use these purpose-built Wireshark display filters to isolate outbound data streams from normal background noise.
| Target Objective | Wireshark Display Filter Syntax | What You Are Looking For |
|---|---|---|
| Find All Outbound External IPs | ip.src == 192.168.1.0/24 && !(ip.dst == 192.168.1.0/24) | Isolates all traffic leaving your local OT subnet. Adjust subnet to match your zone architecture. |
| Isolate Common Cloud Protocols | tcp.port in {8883, 1883, 443, 9001} | Filters for MQTT (unencrypted and TLS), HTTPS WebSockets, and secure data streaming protocols. |
| Detect Hidden Industrial Writes | modbus.func_code in {5,6,15,16} || s7comm.param.func.code == 0x05 | Crucial check: verifies if an outbound telemetry connection is being used to accept inbound modifications or write commands back to the edge. |
| Flag Persistent TCP Handshakes | tcp.flags.syn == 1 && tcp.flags.ack == 0 | Identifies how frequently the gateway is attempting to establish new connections to external cloud servers. |
| Expose DNS Vendor Queries | dns.flags.response == 1 && dns.resp.name contains "cloud" | Resolves which external cloud infrastructure domains (AWS, Azure, private OEM domains) the gateway is actively calling home to. |
3. Step-by-Step Triage Workflow
Step 1: Map the Egress Destinations (The "Conversations" Triage)
Before digging into individual packets, identify exactly who the OEM gateway is talking to globally.
- Navigate to Statistics → Conversations
- Select the IPv4 or IPv6 tab
- Click the Packets column to sort by volume
- Look for public IP addresses interacting with your internal gateway IP
- Copy any unrecognized public IPs for OSINT / WHOIS verification to map them back to specific cloud providers (e.g., AWS, Azure, Aliyun)
Step 2: Unmasking Stateful Protocols (The WebSocket/MQTT Hunt)
Many modern gateways encapsulate industrial state metrics inside common web protocols to easily slide past legacy firewalls.
- Apply the filter:
tcp.port == 443 - Right-click on a prominent TCP stream and select Follow → TCP Stream
- Analyze the Handshake: Even if the payload is encrypted via TLS, look at the unencrypted Client Hello handshake. Under
Extension: server_name(SNI), you will find the exact Fully Qualified Domain Name (FQDN) the device is authenticating against. This unmasks hidden multi-tenant vendor cloud instances.
Step 3: Auditing Protocol Directionality (The Return-Path Audit)
To prove whether an outbound pipeline is truly a one-way telemetry stream or a hidden dual-direction command path, you must check for incoming payload fragments.
- Apply the display filter isolating the gateway's public cloud destination:
ip.addr == [Cloud_IP] - Go to Statistics → I/O Graph
- Configure two distinct graphs:
- Graph 1 (Outbound Telemetry):
ip.src == [Gateway_IP] && ip.dst == [Cloud_IP](Color: Green) - Graph 2 (Inbound Data/Commands):
ip.src == [Cloud_IP] && ip.dst == [Gateway_IP](Color: Red)
- Graph 1 (Outbound Telemetry):
- The Evaluation: A legitimate, hardwired telemetry stream will show a consistent, high-volume flatline or rhythmic pulse on Graph 1 (Green). If Graph 2 (Red) shows sudden, asymmetrical spikes of inbound data, the cloud platform is pushing down unmonitored data payloads — indicating a high-risk active command path.
4. Deep Packet Inspection: Dissecting Modbus Encapsulated Over TCP
When an outbound telemetry connection is subverted into an inbound command path, attackers often hide legacy industrial commands inside uninspected TCP connections. If your triage graph shows high-risk inbound traffic on an unencrypted port, you must inspect the raw byte structures for unauthorized control signals.
Below is an authentic Wireshark breakdown of an attacker using an active telemetry link to inject an unauthenticated Modbus Force Single Coil (Function Code 5) command directly to a physical controller.
Analysis Checklist for Defenders
- The Signature Data Fragment: Look for the signature Hex sequence
05 00 64 ff 00inside the raw data payload tab - The Threat: The string
05declares the function code (Write),00 64targets the physical hardware address, andff 00triggers a hard forced activation state - Mitigation Filter: To immediately surface packets where telemetry connections are processing inbound physical writes, deploy this precise filter:
modbus.func_code in {5, 6, 15, 16}
5. Automation & SIEM Ingestion (TShark JSON Script)
To avoid manual scanning, you can configure continuous automated network security monitoring via tshark (Wireshark's command-line tool). This customized script captures network frames from your SPAN port, strips out normal local traffic, and outputs telemetry connections into structured JSON format for direct ingestion into Splunk, Elastic (ELK), or a corporate SIEM dashboard.
#!/bin/bash # Continuous JSON Egress Monitor Script # Replace 'eth1' with your capture interface # Replace '192.168.50.20' with your OEM gateway IP tshark -i eth1 -l \ -Y "ip.src == 192.168.50.20 && !ip.dst == 192.168.50.0/24" \ -T ek \ -e frame.time_epoch \ -e ip.dst \ -e tcp.dstport \ -e dns.resp.name \ -e modbus.func_code \ > /var/log/siem_ot_egress_alert.json
SIEM Parsing Parameters
-T ekflag: Generates bulk-insert JSON arrays optimized for Elasticsearch and Logstash pipelines-lflag: Flushes the standard output buffer instantly per packet, ensuring real-time alerting without delay- Field mapping: Captures epoch timestamps (
frame.time_epoch), destination servers, external cloud ports, and any anomalous industrial function codes natively parsed from the stream