
# Kusanagi Kajiki 草薙カジキ
Passive ICS/SCADA network discovery and topology visualization for OT security assessments.

Demo

Passive discovery of ICS/SCADA devices from a PCAP capture — topology visualization, protocol identification, and device fingerprinting in action.
What is Kusanagi Kajiki?
Kusanagi Kajiki is a ground-up rewrite of the NSA's GRASSMARLIN (archived 2023), rebuilt from scratch with a Rust backend (Tauri 2.0) and SvelteKit frontend. It passively discovers and maps Industrial Control System (ICS) and SCADA network devices by analyzing network traffic captures and integrating data from external security tools.
In operational technology environments, active scanning can crash PLCs and disrupt physical processes. Assessors need visibility into OT networks without generating a single packet. Kusanagi Kajiki operates in passive-only mode — it observes captured traffic, identifies devices and protocols, maps network topology, and flags security concerns, all without touching the production network.
The tool achieves full feature parity with GRASSMARLIN 3.2 and extends well beyond it with MITRE ATT&CK for ICS detection (40+ rules), Purdue Model enforcement, deep protocol analysis for 10 protocols, ICS malware behavioral detection, CVE matching, IEC 62443/NIST 800-82/NERC CIP compliance mapping, 7 external tool importers, professional PDF reporting, SBOM/STIX export, baseline drift detection, and a modern dark/light UI.
Key Features
Network Discovery
- Multi-PCAP import with simultaneous file processing and per-packet origin tracking
- Live capture with real-time streaming topology updates, pause/resume, ring buffer, and PCAP save
- 19+ protocol detection by port, payload signature, and deep packet inspection
- Connection tracking with packet/byte counts, timestamps, and protocol classification
Topology Visualization
- Logical view — fcose + Purdue layered layout with subnet grouping, compound nodes, filtered sub-views, and watch tabs
- Physical view — Multi-vendor switch/port topology (Cisco, Juniper, HP/Aruba, generic CSV/JSON) plus traffic-inferred topology
- Mesh view — All-to-all connection matrix with protocol and time filters
- Timeline scrubber — Replay topology construction chronologically with playback controls
- Purdue overlay — Horizontal bands by Purdue level (L0–L5 + DMZ) with cross-zone edge highlighting
Deep Protocol Analysis
- Modbus — MBAP parsing, function code extraction, FC 43/14 Device ID, master/slave detection, register ranges, polling intervals
- DNP3 — Link layer validation, function code extraction, master/outstation detection, unsolicited response flagging
- EtherNet/IP + CIP — Encapsulation header parsing, ListIdentity device identification (vendor/product/serial/firmware), CIP service and class analysis, scanner/adapter role detection
- S7comm — TPKT/COTP/S7 layered parsing, function code identification (read/write/upload/download/stop), rack/slot extraction, SZL identity queries, client/server role detection
- BACnet — BVLCI/NPDU/APDU parsing, I-Am broadcast extraction (device instance/vendor), service identification, client/server role detection
- IEC 60870-5-104 — APCI frame classification (I/S/U), ASDU type identification, command vs monitoring classification, master/outstation role detection
- PROFINET DCP — TLV device discovery, name/vendor/device ID/IP/role extraction from Identify responses
- LLDP — Chassis/port/system name, management address, capability flags for infrastructure identification
- SNMP — Community string extraction (v1/v2c), GET-Response device identity (sysDescr, sysName, sysLocation)
- Ring Redundancy — MRP, RSTP, HSR, PRP, DLR protocol detection and ring topology identification
Device Identification
- 30 YAML signatures covering ICS protocols and vendor-specific patterns
- MAC OUI vendor lookup — IEEE OUI database (~30k entries)
- GeoIP enrichment — Country identification for public IPs
- CIP/PROFINET/BACnet vendor ID lookup — Protocol-specific vendor identification tables
- Confidence scoring — 5-level system: port (1) < pattern (2) < OUI (3) < payload (4) < deep parse (5)
- Hot-reloadable signature editor with CodeMirror 6 and live test runner
- SNMP device identity — sysDescr, sysName, sysLocation, sysContact extraction from GET-Response
- Infrastructure classification — Managed switch, router, firewall, AP role identification from LLDP/SNMP
Security Analysis
- MITRE ATT&CK for ICS — 40+ automated detection rules across 10+ techniques including T0855 (unauthorized commands), T0836 (firmware modification), T0843/T0845 (program download/upload), T0809 (data destruction), T0816 (device shutdown), T0814 (DoS), T0856 (alarm suppression), T0886 (cross-zone), T0846 (discovery), T0811 (comm control)
- Context-aware detections — 18 additional rules that analyze the full network state: unauthorized engineering workstations, rogue SCADA masters, lateral OT movement, abnormal protocol usage
- ICS malware detection — Behavioral signatures for FrostyGoop, PIPEDREAM/INCONTROLLER, and Industroyer2
- CVE matching — OT-focused CVE database with vendor/product/firmware matching and CVSS severity
- Purdue Model — Auto-assigns Purdue levels (L1-L4) based on observed behavior and protocol roles, detects cross-zone violations
- Compliance mapping — Findings mapped to IEC 62443 zones/conduits, NIST SP 800-82, and NERC CIP controls
- Communication pattern analysis — Per-connection statistics (interval, jitter, periodicity), pattern anomaly flagging
- Anomaly scoring — Polling interval deviations, role reversals, unexpected public IPs
- Default credential warnings — 35-entry ICS vendor database
- Asset criticality scoring — Critical/High/Medium/Low based on device role and protocol exposure
- Switch security assessment — Port security, BPDU guard, DHCP snooping, ARP inspection analysis
- Ring redundancy detection — MRP/RSTP/HSR/PRP/DLR topology identification
- Flat network detection — Single-subnet environments flagged as critical findings
- Cleartext protocol audit — Unencrypted ICS protocol identification with encryption percentage
- Internet exposure analysis — Public IPs on OT devices flagged with severity
External Tool Integration
- Zeek — Import conn.log, modbus.log, dnp3.log, s7comm.log with per-device event drill-down
- Suricata — Import EVE JSON (flow and alert events) with alert–device correlation
- Nmap/Masscan — Import scan results with
[active-scan] tagging
- Wazuh — HIDS/SIEM alert import (JSON line-delimited + array) with device correlation
- Siemens SINEMA Server — CSV inventory import
- Siemens TIA Portal — Project XML import
- Wireshark — Auto-detect, right-click to open, frame-level inspection
Reporting & Export
- PDF assessment reports — Professional reports with executive summary, asset inventory, findings, recommendations
- CSV/JSON export — Assets, connections, topology data
- SBOM — CISA BOD 23-01 aligned software bill of materials
- STIX 2.1 — Threat intelligence bundles
- Filtered PCAP export — Export packets matching IP/port filters
- Remediation priority list — Ranked findings with ATT&CK→remediation mapping, CSV export
- Communication allowlist — Flow classification with firewall rule generation
Session & Project Management
- SQLite persistence — Save/load sessions with full asset history
.kkj archives — Portable ZIP-based session format
- Baseline drift detection — Compare assessments, quantified drift score, new/missing/changed assets
- Project/engagement management — Named engagements with metadata, session scoping
Advanced
- Dark/light/system theme — Persistent preference with OS detection
- CLI —
--open <file> (PCAP or .kkj), --import-pcap <path>
- Plugin architecture — Manifest-based plugin discovery
Beyond GRASSMARLIN
| Capability |
GRASSMARLIN 3.2 |
Kusanagi Kajiki |
| Signature format |
XML (opaque) |
YAML (human-readable, git-friendly) |
| Security analysis |
None |
ATT&CK for ICS (40+ rules) + Purdue + anomaly + CVE + malware |
| Deep protocol parsing |
Limited |
10 protocols with full dissection |
| ICS malware detection |
None |
FrostyGoop, PIPEDREAM, Industroyer2 behavioral detection |
| CVE matching |
None |
OT-focused CVE database with vendor/product/firmware matching |
| Compliance mapping |
None |
IEC 62443, NIST 800-82, NERC CIP |
| External tool integration |
None |
Zeek, Suricata, Nmap, Masscan, Wazuh, SINEMA, TIA Portal |
| Reporting |
None |
PDF assessment reports + remediation priority lists |
| Compliance export |
None |
SBOM (CISA BOD 23-01), STIX 2.1 |
| Baseline comparison |
None |
Session drift detection with scoring |
| Physical topology |
Cisco only |
Cisco, Juniper, HP/Aruba, generic CSV/JSON + traffic inference |
| Communication analysis |
None |
Per-connection stats, jitter, periodicity, allowlisting |
| Session format |
XML archives |
SQLite + portable .kkj ZIP + project management |
| Default credential check |
None |
35-entry ICS vendor database |
| Redundancy detection |
None |
MRP/RSTP/HSR/PRP/DLR ring topology |
| Theming |
Java Swing |
Modern dark/light CSS custom properties |
| CLI support |
None |
--open, --import-pcap |
| Architecture |
Monolithic Java |
10 Rust crates + SvelteKit frontend |
Supported Protocols
| Protocol |
Port(s) |
Detection |
Standard / Vendor |
| Modbus TCP |
502 |
Deep parse |
Schneider Electric, multi-vendor |
| DNP3 |
20000 |
Deep parse |
IEEE 1815 (utilities, substations) |
| EtherNet/IP (CIP) |
44818, 2222 |
Deep parse |
Rockwell / Allen-Bradley (ODVA) |
| S7comm |
102 |
Deep parse |
Siemens S7 PLCs |
| BACnet/IP |
47808 |
Deep parse |
ASHRAE (building automation) |
| IEC 60870-5-104 |
2404 |
Deep parse |
Power grid SCADA |
| PROFINET DCP |
34962-34964 |
Deep parse |
Siemens / PROFIBUS International |
| LLDP |
— |
Deep parse |
IEEE 802.1AB (network infrastructure) |
| SNMP |
161, 162 |
Deep parse |
Network management |
| Ring Redundancy |
— |
Deep parse |
MRP / RSTP / HSR / PRP / DLR |
| OPC UA |
4840 |
Port + Signature |
OPC Foundation |
| MQTT |
1883, 8883 |
Port |
IIoT gateways |
| HART-IP |
5094 |
Port |
Process instrumentation |
| Foundation Fieldbus HSE |
1089-1091 |
Port |
Process automation |
| GE SRTP |
18245-18246 |
Port + Signature |
GE Automation PLCs |
| Wonderware SuiteLink |
5007 |
Port + Signature |
AVEVA / Wonderware |
Screenshots
Installation
Quick start: Clone → npm install → drop a PCAP in tests/pcaps/ → npm run tauri dev → import the PCAP from the Capture tab.
Quick Reference — Platform Dependencies
| Platform |
System Dependencies |
Special Notes |
| Fedora/RHEL |
libpcap-devel webkit2gtk4.1-devel libsoup3-devel javascriptcoregtk4.1-devel |
Primary dev platform |
| Ubuntu/Debian |
libpcap-dev libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf |
|
| macOS |
brew install libpcap + Xcode CLI tools |
|
| Windows |
VS C++ Build Tools + Npcap (WinPcap mode) + Npcap SDK |
Set LIB env var to SDK Lib/x64 path |
Fedora / RHEL (primary development platform)
sudo dnf install libpcap-devel webkit2gtk4.1-devel libsoup3-devel javascriptcoregtk4.1-devel
git clone https://github.com/TheSecurityLead/KusanagiNoKajiki.git
cd KusanagiNoKajiki
npm install
npm run build
npm run tauri dev
Ubuntu / Debian
sudo apt install libpcap-dev libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
git clone https://github.com/TheSecurityLead/KusanagiNoKajiki.git
cd KusanagiNoKajiki
npm install
npm run build
npm run tauri dev
macOS
brew install libpcap
xcode-select --install
git clone https://github.com/TheSecurityLead/KusanagiNoKajiki.git
cd KusanagiNoKajiki
npm install
npm run build
npm run tauri dev
Windows
Prerequisites (install in order):
1. Visual Studio C++ Build Tools — "Desktop development with C++" workload
2. Rust via rustup.rs (stable-x86_64-pc-windows-msvc)
3. Npcap — check "Install Npcap in WinPcap API-compatible Mode", download SDK, set LIB to SDK Lib\x64
4. Node.js LTS
git clone https://github.com/TheSecurityLead/KusanagiNoKajiki.git
cd KusanagiNoKajiki
npm install
npm run build
npm run tauri dev
If npm install fails with ERESOLVE, see Troubleshooting below.
Live Capture Without Root (Linux)
sudo setcap cap_net_raw,cap_net_admin=eip src-tauri/target/release/kusanaginokajiki
Quick Start
- Import a PCAP — Capture tab → Import PCAP File(s)
- Explore topology — Topology tab → interactive graph grouped by