How to Monitor SCADA Protocol Traffic (Modbus RTU/TCP, IEC-104, DNP3, IEC-61850)

Monitoring SCADA protocol traffic is essential for diagnosing field issues, validating protocol behavior, troubleshooting mapping or timing problems, and improving the reliability of industrial automation systems. Whether the system uses legacy serial-based protocols such as Modbus RTU, IEC 60870-5-101, or DNP3 Serial, or modern TCP/IP-based protocols such as Modbus TCP, IEC 60870-5-104, DNP3 TCP, or IEC 61850, having real visibility into actual communication frames is critical for stable and secure operation.

This applies across all major SCADA and OT communication protocols, including:

• Modbus RTU / Modbus TCP/IP
• IEC 60870-5-101 / IEC 60870-5-104
• DNP3 Serial / DNP3 TCP
• IEC 61850 (GOOSE / MMS / SV)

Being able to capture and analyze real protocol exchanges helps engineers:

• Detect CRC errors, bad framing, malformed packets, or timeout conditions
• Confirm addressing, mapping, object numbers, and device configuration
• Validate protocol behavior — function codes, ASDUs, object values, and response times
• Identify misconfigured or failing field devices
• Spot unauthorized commands, spoofing attempts, or anomalies
• Assess network performance during commissioning, FAT, SAT, and routine maintenance

This guide explains every method available for monitoring SCADA protocol traffic across both serial communication (RS-232, RS-485) and TCP/IP Ethernet networks, covering the required hardware taps, specialized monitoring cables, and protocol analyzer software used in the industry. The goal is to help engineers safely capture, decode, and troubleshoot Modbus, DNP3, IEC-101/104, IEC-61850, and other SCADA communication protocols effectively

How to Capture and Monitor SCADA Protocol Traffic

For TCP/IP-Based SCADA Protocols (Modbus TCP, IEC 104, DNP3 TCP, IEC 61850, etc.)

The most reliable method for monitoring Ethernet-based SCADA protocols is to use a managed network switch that supports port mirroring (SPAN).

How It Works:

1. Configure the switch to mirror traffic between the SCADA client (master) and server (slave) to a designated monitoring port.
2. Connect a laptop running Wireshark or another analyzer to that mirrored port.
3. Apply protocol-specific filters such as:
   • modbus or tcp.port == 502
   • dnp3
   • iec104
   • goose / sv for IEC 61850
   • tcp.port == <specific_port> for vendor-specific protocols

Switches commonly used for SCADA monitoring:

• Cisco Catalyst / Cisco Industrial Ethernet
• Moxa EDS series
• Hirschmann / Belden BOBCAT & RS series
• RuggedCom
• Netgear / TP-Link (smaller lab setups)

Port mirroring enables completely passive, real-time visibility of SCADA traffic — essential for diagnostics, cybersecurity audits, performance analysis, and protocol verification.

For Serial-Based SCADA Protocols (Modbus RTU, IEC-101, DNP3 Serial, custom RS-232/RS-485 protocols)

Serial communication is still widely used in substations, PLC networks, legacy RTUs, and energy/infrastructure systems. However, unlike Ethernet, serial buses do not inherently support passive monitoring.

To analyze RS-232 or RS-485 traffic safely, specialized monitoring hardware is needed.

Below are the tools you included — fully integrated as SCADA-wide monitoring devices.

Triangle MicroWorks Serial Monitor Cable (RS-232 Monitoring)

The Triangle MicroWorks Serial Monitor Cable is a professional RS-232 monitoring solution designed specifically for engineers who need to capture and analyze full-duplex serial communication without interrupting the live data link. It is commonly used in SCADA, automation, and protocol-testing environments where accurate, non-intrusive monitoring is essential.

Key Features:

• Dual independent monitoring channels
  The cable provides two separate monitoring outputs, allowing you to capture data from both directions of an RS-232 communication session (master-to-slave and slave-to-master) simultaneously.
• Integrated LED activity indicators
  Built-in LEDs show real-time signal activity, making it easy to visually confirm that communication is occurring and helping technicians quickly identify idle or fault conditions.
• USB-to-dual-RS-232 interface included
  The cable assembly includes a USB adapter that exposes two RS-232 ports. This makes it simple to connect the monitoring cable to a PC or laptop without needing additional hardware.
• Non-intrusive design
  The monitor cable is passive — meaning it does not interfere with or modify the electrical characteristics of the RS-232 link. The monitored devices continue communicating normally while the PC captures a clean copy of all traffic.
• Optimized for protocol analysis tools
  The cable is intended for use with protocol test software, enabling detailed inspection of full-duplex traffic, timing, message direction, and protocol layer decoding.

Typical Use Case:

The cable is inserted in parallel with an existing RS-232 connection between two devices. The live devices continue communicating normally, while the two monitoring outputs feed into analysis software on a PC. Engineers can observe command/response sequences, verify timing, diagnose communication faults, or capture data for debugging protocols such as Modbus RTU, DNP3, or IEC 60870-5-101.

Why It’s Valuable:

• Ensures accurate capture of both directions of RS-232 communication
• Ideal for troubleshooting and commissioning industrial serial networks
• Provides visual feedback via LED indicators
• Eliminates the need for building custom tap cables
• Suitable for lab, field, and SCADA environments

Data-Converters RS-232 Full-Duplex Monitor / Control Cable

The Data-Converters RS-232 Full-Duplex Monitor/Control Cable is a professional diagnostic cable designed for capturing and analyzing complete RS-232 communication, including both data directions and all control lines. It is especially useful for engineers working with SCADA systems, industrial serial devices, and Modbus RTU over RS-232.

Key Features:

• Full 9-wire RS-232 monitoring
  The cable supports all standard RS-232 signal lines: TX, RX, GND, CTS, RTS, DTR, DSR, DCD, and RI. This makes it ideal for troubleshooting complex serial interfaces that rely on hardware handshaking.
• Full-duplex capture
  It allows simultaneous monitoring of both directions of communication (device-to-host and host-to-device), ensuring you see the complete protocol exchange without missing any part of the conversation.
• Includes multiple cable segments
  The assembly typically includes:
  • one straight-through RS-232 cable for the live connection between devices
  • two separate monitor cables that allow a PC or analyzer to observe both transmit and receive paths independently.
• Non-intrusive monitoring
  The cable is designed as a passive monitoring tool. It does not interfere with or alter the behavior of the live RS-232 link, ensuring the communication remains stable and accurate.
• Industrial-grade construction
  Made with durable shielding and high-quality connectors, the cable is suitable for field commissioning, laboratory use, and long-term service environments.
• Ideal for protocol analysis
  Perfect for diagnosing timing issues, handshake failures, incomplete responses, or protocol-level faults in systems using RS-232 communication.

Typical Use Case:

Place the straight-through RS-232 cable between the two devices you want to monitor. Then, connect your analyzer or laptop to the two monitor ports. This lets you observe both TX and RX lines in real time, allowing you to track message flow, verify protocol behavior, diagnose CRC or framing issues, and detect misconfigured devices.

Why It’s Valuable:

• Allows full visibility into RS-232 communication
• Helps diagnose both data and control-signal issues
• Saves time during commissioning, debugging, and maintenance
• Eliminates the need for custom-built monitoring cables
• Trusted in automation, instrumentation, and industrial control environments

CommFront Full-Duplex RS-232 Monitor / Control Cable

The CommFront Full-Duplex RS-232 Monitor / Control Cable is a professional-grade diagnostic cable designed specifically for monitoring, analyzing, and troubleshooting RS-232 communication. It allows you to observe full-duplex serial traffic without interrupting the connection between two devices — ideal for SCADA systems, industrial automation, and embedded device testing.

Key Features:

• Full 9-wire RS-232 support: Handles all standard RS-232 signals, including TX, RX, GND, CTS, RTS, DTR, DSR, DCD, and RI.
• Multiple break-out connectors: Includes one main DB9-male connector for the live RS-232 link, plus two DB9-female monitor connectors to observe both transmit and receive lines independently.
• Non-intrusive monitoring: Allows engineers to passively monitor serial communication without affecting timing or data flow.
• High-quality construction: Machine-made, shielded, and designed for reliable operation in industrial environments.
• Temperature-resistant: Rated for operating conditions roughly between –40 °C and +85 °C, making it suitable for harsh field environments.
• Ideal for protocol analysis: Perfect for capturing full-duplex RS-232 traffic, handshake behavior, timing deviations, or protocol-level issues such as Modbus RTU frame problems.
• Includes multiple cable lengths: Typically supplied with a main straight-through RS-232 cable plus two shorter monitor leads for easy analyzer connection.
• Rugged and reliable: Manufactured under strict quality control and designed for long service life in industrial and laboratory environments.

Use Case:

Connect the main cable between your RS-232 master and slave devices. Then attach your analyzer, laptop, or monitoring tool to the two monitor connectors. This setup allows you to view TX and RX lines separately in real time, making it ideal for troubleshooting communication failures, CRC issues, or protocol timing problems.

Docklight Tap 485 (RS-485 / RS-422 + RS-232 Monitoring)

The Docklight Tap 485 is a high-accuracy hardware monitoring tool designed primarily for RS-485 (2-wire) and RS-422 (4-wire) differential serial communication. It also supports RS-232 monitoring, making it a versatile option for engineers who work with multiple serial standards.

It is a passive tap device, meaning it allows you to observe live communication on a serial bus without interrupting or altering the signals. This makes it ideal for analyzing Modbus RTU traffic on multi-drop RS-485 networks or point-to-point RS-232 links.

Key features include:

• High-precision signal capture for differential RS-485 and RS-422 buses
• Passive monitoring that does not interfere with network communication
• Support for RS-232 monitoring when used in that mode
• Clear visibility of TX/RX activity, timing, and bus behavior
• Ideal for troubleshooting, commissioning, and protocol decoding using serial analysis software

For active communication (sending or receiving RS-485/422 data), Docklight recommends using a standard USB-to-RS-485/422 interface while the Tap 485 remains dedicated to monitoring.

Why Monitoring Cables Require Protocol Analyzer Software

Monitoring cables (RS-232, RS-485, RS-422) provide electrical access to the communication lines, but they do not interpret or decode protocol data on their own. To extract meaningful information from captured traffic, engineers must use protocol analyzer software capable of decoding SCADA and industrial communication protocols.

Hardware monitoring + protocol analyzer software = full visibility

A monitoring cable gives you raw TX/RX bytes, but only analyzer software can make sense of it by applying protocol rules, timing interpretation, and frame decoding.

What Protocol Analyzer Software Does

Protocol analyzers allow engineers to:

• Decode Modbus, DNP3, IEC-101/104, IEC 61850, and custom protocols
• Identify frame boundaries, CRC errors, and malformed packets
• Analyze timing gaps, retries, and handshaking behavior
• Display requests and responses in a clear, human-readable format
• Pinpoint communication faults, timeouts, and misconfigurations
• Export logs for commissioning, debugging, and cybersecurity analysis

Without a decoder, you’d only see a raw stream of bytes — not usable for diagnostics.

Recommended Protocol Analyzer Tools

TMW Test Tools – Best for Both Serial and TCP/IP Protocols

The Test Harness tool from Triangle MicroWorks supports a “monitor mode (listen only)” for serial or TCP/IP network traffic — enabling passive capture and decoding of protocol frames without interfering with live communication.

Axon Test 5 (by Axon Group)

The Axon Test tool from Axon Group includes a “Monitor” component that allows frame-level capture on serial and Ethernet channels, with detailed protocol decoding and logging for debugging and diagnostics.

Conclusion

Whether you are using Wireshark with port mirroring for TCP/IP-based protocols (Modbus TCP, IEC-104, DNP3 TCP), or RS-232/RS-485 taps and analyzers for serial protocols (Modbus RTU, IEC-101, DNP3 Serial), traffic monitoring provides complete visibility into your SCADA communication system.

By deploying the right combination of tools — serial monitor cables, RS-485 taps, and network analyzers — engineers can diagnose problems faster, ensure correct system behavior, and significantly improve the reliability and security of industrial control networks.