Asset Inventory
Passive device discovery from observed network traffic.
Overview
Rockfish builds an asset inventory by analyzing network flow patterns, extracting DHCP metadata, and inferring device roles — all without agents or active scanning.
Capabilities
| Feature | Description |
|---|---|
| IP Tracking | All observed IPs with communication patterns and protocol usage |
| DHCP Metadata | MAC address, hostname, vendor class ID extraction |
| Device Role Inference | Automatic classification based on traffic patterns |
| New Device Detection | Flags IPs not present in baseline |
| OT Protocol Awareness | Identifies industrial protocol usage |
| Inventory Snapshots | Periodic snapshots written to Parquet |
Inferred Device Roles
| Role | Detection Criteria |
|---|---|
| PLC | Modbus, DNP3, EtherNet/IP, or S7comm traffic |
| HMI | Mixed OT and standard protocols |
| Sensor | Read-only OT protocol patterns |
| Engineering Workstation | OT + administrative protocols |
| Server | Listening on well-known ports |
| Client | Outbound-initiated connections |
OT Protocol Support
| Protocol | Description |
|---|---|
| Modbus | Industrial serial communication |
| DNP3 | Distributed Network Protocol |
| MQTT | IoT message queuing |
| BACnet | Building automation |
| EtherNet/IP | Industrial Ethernet |
| S7comm | Siemens S7 communication |
| OPC UA | Open Platform Communications |
| IEC 104 | Telecontrol protocols |
Report Integration
The Inventory report page displays:
- Device list with inferred roles and protocol usage
- New/unknown device alerts
- OT protocol traffic summary
- First-seen and last-seen timestamps
- Communication pattern metrics (connection count, bytes)