Document ID: CSS-WP-2026-04

Suggested Wireshark Guidelines for Telemetry Detection

Shareware Technical Guide | OT Security Engineers, Industrial Network Administrators, SOC Analysts
controlsystemssecurity.com

Introduction

This practical guidance package accompanies the ControlSystemsSecurity.com master analysis on outbound OEM cloud telemetry risks. When vendor gateways are hardwired into industrial networks, they often stream data silently, using protocols disguised as standard web traffic or benign network polling.

This guide provides the exact Wireshark display filters, capture strategies, and protocol-level footprints required to visually isolate, log, and validate outbound telemetry channels within your operational technology (OT) environment.

1. Setting Up the Capture Point (TAP vs. SPAN)

To catch outbound telemetry before it hits perimeter security devices or encrypted cellular uplinks, you must capture the traffic at the edge switch where the OEM gateway connects.

+-------------------------+ | Industrial Edge Switch | +------------+------------+ | +----------------------+----------------------+ | (Normal Path) | (SPAN / Mirror Port) v v +---------------+ +---------------+ | OEM Gateway | | Wireshark Pod | +---------------+ +---------------+ | [Capture File] v (Outbound Telemetry) [WAN / Cellular]

The Golden Rule: Never run Wireshark directly on an active engineering workstation or HMI to capture network traffic. Use a dedicated hardware network TAP or configure a switch SPAN/mirror port targeting the specific port of the OEM gateway.

Capture Buffer: Ensure your capture machine has sufficient disk space. Telemetry is highly repetitive; capture for a full 24-hour cycle to catch asynchronous polling intervals, shift schedule changes, and nightly batch syncs.

2. The Core Telemetry Cheat Sheet (Display Filters)

Once you open your .pcap or .pcapng file, use these purpose-built Wireshark display filters to isolate outbound data streams from normal background noise.

Target ObjectiveWireshark Display Filter SyntaxWhat You Are Looking For
Find All Outbound External IPsip.src == 192.168.1.0/24 && !(ip.dst == 192.168.1.0/24)Isolates all traffic leaving your local OT subnet. Adjust subnet to match your zone architecture.
Isolate Common Cloud Protocolstcp.port in {8883, 1883, 443, 9001}Filters for MQTT (unencrypted and TLS), HTTPS WebSockets, and secure data streaming protocols.
Detect Hidden Industrial Writesmodbus.func_code in {5,6,15,16} || s7comm.param.func.code == 0x05Crucial check: verifies if an outbound telemetry connection is being used to accept inbound modifications or write commands back to the edge.
Flag Persistent TCP Handshakestcp.flags.syn == 1 && tcp.flags.ack == 0Identifies how frequently the gateway is attempting to establish new connections to external cloud servers.
Expose DNS Vendor Queriesdns.flags.response == 1 && dns.resp.name contains "cloud"Resolves which external cloud infrastructure domains (AWS, Azure, private OEM domains) the gateway is actively calling home to.

3. Step-by-Step Triage Workflow

Step 1: Map the Egress Destinations (The "Conversations" Triage)

Before digging into individual packets, identify exactly who the OEM gateway is talking to globally.

  1. Navigate to Statistics → Conversations
  2. Select the IPv4 or IPv6 tab
  3. Click the Packets column to sort by volume
  4. Look for public IP addresses interacting with your internal gateway IP
  5. Copy any unrecognized public IPs for OSINT / WHOIS verification to map them back to specific cloud providers (e.g., AWS, Azure, Aliyun)

Step 2: Unmasking Stateful Protocols (The WebSocket/MQTT Hunt)

Many modern gateways encapsulate industrial state metrics inside common web protocols to easily slide past legacy firewalls.

  1. Apply the filter: tcp.port == 443
  2. Right-click on a prominent TCP stream and select Follow → TCP Stream
  3. Analyze the Handshake: Even if the payload is encrypted via TLS, look at the unencrypted Client Hello handshake. Under Extension: server_name (SNI), you will find the exact Fully Qualified Domain Name (FQDN) the device is authenticating against. This unmasks hidden multi-tenant vendor cloud instances.
[Example Wireshark SNI Fragment View] Extension: server_name (len=27) Server Name Indication extension Server Name list length: 25 Server Name Type: host_name (0) Server Name length: 22 Server Name: telemetry.oem-vendor.cloud

Step 3: Auditing Protocol Directionality (The Return-Path Audit)

To prove whether an outbound pipeline is truly a one-way telemetry stream or a hidden dual-direction command path, you must check for incoming payload fragments.

  1. Apply the display filter isolating the gateway's public cloud destination: ip.addr == [Cloud_IP]
  2. Go to Statistics → I/O Graph
  3. Configure two distinct graphs:
    • Graph 1 (Outbound Telemetry): ip.src == [Gateway_IP] && ip.dst == [Cloud_IP] (Color: Green)
    • Graph 2 (Inbound Data/Commands): ip.src == [Cloud_IP] && ip.dst == [Gateway_IP] (Color: Red)
  4. The Evaluation: A legitimate, hardwired telemetry stream will show a consistent, high-volume flatline or rhythmic pulse on Graph 1 (Green). If Graph 2 (Red) shows sudden, asymmetrical spikes of inbound data, the cloud platform is pushing down unmonitored data payloads — indicating a high-risk active command path.

4. Deep Packet Inspection: Dissecting Modbus Encapsulated Over TCP

When an outbound telemetry connection is subverted into an inbound command path, attackers often hide legacy industrial commands inside uninspected TCP connections. If your triage graph shows high-risk inbound traffic on an unencrypted port, you must inspect the raw byte structures for unauthorized control signals.

Below is an authentic Wireshark breakdown of an attacker using an active telemetry link to inject an unauthenticated Modbus Force Single Coil (Function Code 5) command directly to a physical controller.

[Packet No. 4412] — Time: 14:22:04.119 — Length: 66 Bytes Inbound Command Path: [Attacker Cloud IP] → [Internal OT Gateway] → [Target PLC] Transmission Control Protocol (TCP): Src Port: 49152, Dst Port: 502 Modbus Application Protocol (MBAP Header) Transaction Identifier: 0x2f3c (12092) Protocol Identifier: 0x0000 (Modbus TCP) Length: 0x0006 (6 bytes follow) Unit Identifier: 0x01 (Target PLC Address) Modbus Protocol (Data Payload) .000 0101 = Function Code: Force Single Coil (5) <--- CRITICAL ALERT Reference Number: 0x0064 (Coil 100 - Emergency Shutoff Valve) Data: ff00 (Value: ON / Activate)

Analysis Checklist for Defenders

5. Automation & SIEM Ingestion (TShark JSON Script)

To avoid manual scanning, you can configure continuous automated network security monitoring via tshark (Wireshark's command-line tool). This customized script captures network frames from your SPAN port, strips out normal local traffic, and outputs telemetry connections into structured JSON format for direct ingestion into Splunk, Elastic (ELK), or a corporate SIEM dashboard.

#!/bin/bash
# Continuous JSON Egress Monitor Script
# Replace 'eth1' with your capture interface
# Replace '192.168.50.20' with your OEM gateway IP

tshark -i eth1 -l \
  -Y "ip.src == 192.168.50.20 && !ip.dst == 192.168.50.0/24" \
  -T ek \
  -e frame.time_epoch \
  -e ip.dst \
  -e tcp.dstport \
  -e dns.resp.name \
  -e modbus.func_code \
  > /var/log/siem_ot_egress_alert.json

SIEM Parsing Parameters