Protocol Reference
6 live industrial protocol stacks implemented for wire-level OT traffic generation.
Supported Protocols
| Protocol | Standard | Status | Implementation |
|---|---|---|---|
| Modbus TCP | Modbus/TCP | Production | Custom asyncio server (FC03 read, FC06/FC16 write) |
| OPC-UA | IEC 62541 | Production | asyncua server with typed node hierarchy |
| BACnet/IP | ASHRAE 135 | Production | bacpypes3 with AnalogInput objects |
| MQTT | MQTT 3.1.1 | Production | aiomqtt with JSON payloads |
| DNP3 | IEEE 1815 | Production | Group 30 Var 5 analog + CRC-16 (Wireshark-verified) |
| IEC 61850 | IEC 61850 | Production | MMS (XCBR/XSWI/MMXU/CSWI/ATCC/GGIO) + SCL XML + GOOSE (ASN.1 BER) |
Modbus TCP
Custom async implementation supporting function codes for reading holding registers (FC03) and writing single/multiple registers (FC06/FC16). Register tables map directly to simulated sensor signals via the protocol address map.
- Register address space: configurable per simulation
- Supports multiple simultaneous client connections
- Transaction ID and protocol ID handling per Modbus/TCP specification
- Wire-level pcapng captures with correct TCP/IP checksums
OPC-UA
Built on the asyncua library, providing a full OPC-UA server with typed node hierarchies. Each sensor signal is exposed as a variable node with correct data types, engineering units, and quality codes per IEC 62541.
- Node hierarchy mirrors the physical plant topology
- Data types: Float, Double, Int32, Boolean, String, DateTime
- Server discovery and endpoint enumeration
- Subscription-based data change notifications
BACnet/IP
ASHRAE 135 implementation using bacpypes3 with AnalogInput, AnalogOutput, and BinaryInput objects. Designed for building automation system (BAS) simulation scenarios.
- AnalogInput objects with present-value, status-flags, and units
- ReadProperty and ReadPropertyMultiple service support
- Device object with model name, vendor ID, and protocol version
MQTT
MQTT 3.1.1 implementation using aiomqtt with structured JSON payloads. Topic trees mirror the plant hierarchy for intuitive data subscription.
- Topic structure:
plant/area/unit/signal_name - JSON payloads with timestamp, value, quality, and unit fields
- QoS 0 and QoS 1 support
- Retained messages for current-value queries
DNP3
IEEE 1815 (DNP3) frame generation with Group 30 Var 5 analog input data objects and CRC-16 integrity verification. Frames are Wireshark-verified for protocol compliance.
- Data Link Layer with CRC-16 per DNP3 specification
- Transport Layer with FIR/FIN flags
- Application Layer with Group 30 analog input objects
- Both solicited and unsolicited response modes
IEC 61850
Full IEC 61850 implementation with three communication profiles:
- MMS (Manufacturing Message Specification): Logical nodes XCBR, XSWI, MMXU, CSWI, ATCC, GGIO for substation automation
- GOOSE (Generic Object Oriented Substation Event): Multicast event distribution using ASN.1 BER encoding for fast inter-bay signaling
- SCL (Substation Configuration Language): IEC 61850-6 XML export for substation configuration and interoperability testing
Protocol Address Mapping
Every simulation produces a protocol_map.json file that maps each protocol-specific address (Modbus register, OPC-UA node ID, BACnet object, MQTT topic, DNP3 point, IEC 61850 data attribute) to the corresponding simulated sensor signal. This enables cross-protocol correlation in analysis tools.
Wire-Level Captures
All protocol traffic is captured in IEEE pcapng format with correct TCP/IP/Ethernet stack framing and checksums. These captures can be loaded directly into Wireshark, Zeek, Suricata, or any network analysis tool for IDS rule development and testing.