Reverse Engineering of Industrial Protocols From Network Traffic

Reliable protocol knowledge is often difficult to obtain in industrial networks, as industrial communications come with limited documentation, vendor-specific encodings, and opaque payloads. This lack of transparency hinders message interpretation and protocol analysis. To recover this missing protocol knowledge, network-trace-based protocol reverse engineering (PRE) infers message structure, field roles, and interaction logic directly from recorded traces. This enables protocol-aware intrusion detection, process monitoring, and protocol testing and fuzzing without access to device internals. Although PRE has advanced rapidly, existing techniques are developed under diverse objectives and assumptions. As a result, it is often unclear how isolated results relate to an end-to-end reverse-engineering workflow, and how evaluation outcomes should be compared across tasks and protocols. In this article, we cast reverse engineering of industrial protocols from network traces as a task-driven pipeline and articulate a unified task decomposition spanning message type identification, protocol syntax and semantic inference, payload pattern recognition and semantic inference, and protocol state machine reconstruction. For each task, we describe key methodological themes, common evaluation practices, and practical limitations that affect robustness and deployability in industrial settings. We further discuss security, privacy, and ethical risks that accompany increasingly capable PRE, and identify promising research directions toward more systematic, dependable, and deployment-oriented PRE methodologies.