// the find
nsacyber/GRASSMARLIN
Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
GRASSMARLIN is a passive network discovery and visualization tool for ICS/SCADA environments, released by the NSA's cybersecurity directorate. It fingerprints industrial protocols (Modbus, DNP3, EtherNet/IP, S7Comm, BACnet, and ~80 more) from captured PCAP files and renders a topology map of the control network. It's aimed at ICS security assessors who need to inventory a plant network without actively probing it.
The fingerprint library is genuinely impressive — 80+ XML-defined protocol signatures covering obscure vendor-specific protocols (Beckhoff, Koyo, Fatek, SEL relays) that you won't find in generic network tools. Passive-only analysis from PCAP means zero risk of tripping a PLC that can't handle unexpected packets. The plugin architecture (PCAP import, CSV import, SVG export as separate JARs) keeps the core clean. It comes from NSA IAD, so the fingerprint accuracy has real-world ICS assessment backing.
Dead project — last commit was February 2020, and it was already showing its age then. Java Swing UI in 2020 was a liability; in 2026 it's archaeology. No live capture support in the main build — you have to feed it PCAPs, which means a separate capture step and no real-time visibility. The build system is Ant, not Maven or Gradle, and the README links to a broken URL for the briefing deck. Anyone adopting this should expect to fork it and own the maintenance themselves, because upstream is gone.