Install cyprobe

System requirements

Cyprobe captures raw network frames in passive mode and crafts protocol-level packets in active mode. Both require elevated privileges:

Linux: run as root, or grant the binary CAP_NET_RAW + CAP_NET_ADMIN:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/cyprobe

macOS: run with sudo. BPF device access is required for packet capture.
Windows: not supported. OT networks overwhelmingly run Linux-based appliances.

Minimum: 64 MB RAM, 10 MB disk. No runtime dependencies beyond libc.

Cargo (from source)

Requires Rust 1.75+.

cargo install --git https://github.com/cybrium-ai/cyprobe cyprobe

Clone the rule pack separately -- cargo does not bundle it:

git clone https://github.com/cybrium-ai/cyprobe /tmp/cyprobe
export CYPROBE_RULES=/tmp/cyprobe/rules

Add the export to your shell rc file.

Build from source

git clone https://github.com/cybrium-ai/cyprobe
cd cyprobe
cargo build --release

The binary lands at target/release/cyprobe. Copy it and the rules/ directory to your target machine.

Cross-compile for ARM

OT gateways (Moxa, Advantech, generic ARM SBCs) typically run aarch64-unknown-linux-gnu or armv7-unknown-linux-gnueabihf.

# Install the cross-compilation toolchain
rustup target add aarch64-unknown-linux-gnu
sudo apt install gcc-aarch64-linux-gnu

# Build
CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER=aarch64-linux-gnu-gcc \
  cargo build --release --target aarch64-unknown-linux-gnu

The resulting binary is statically linked against musl if you prefer:

rustup target add aarch64-unknown-linux-musl
cargo build --release --target aarch64-unknown-linux-musl

Raw binary

Release archives are published at github.com/cybrium-ai/cyprobe/releases for:

aarch64-unknown-linux-gnu / x86_64-unknown-linux-gnu
aarch64-apple-darwin / x86_64-apple-darwin

Each archive contains the cyprobe binary + the rules/ directory.

VERSION=0.1.0
TARGET=x86_64-unknown-linux-gnu
curl -L "https://github.com/cybrium-ai/cyprobe/releases/download/v${VERSION}/cyprobe_${VERSION}_${TARGET}.tar.gz" \
  -o cyprobe.tar.gz
tar xzf cyprobe.tar.gz
sudo mv cyprobe_*/cyprobe /usr/local/bin/
sudo mv cyprobe_*/rules  /usr/local/share/cyprobe/rules
sudo setcap cap_net_raw,cap_net_admin=eip /usr/local/bin/cyprobe

Verify your install

cyprobe --version
cyprobe rules list

The first command should print cyprobe 0.1.0. The second should list the 10 seed rules.

Troubleshooting

`Permission denied` or `Operation not permitted`

You need raw socket access. Either run with sudo or set capabilities:

sudo setcap cap_net_raw,cap_net_admin=eip $(which cyprobe)

`Rules: 0`

Cyprobe searches for rules in this order:

$CYPROBE_RULES env var
<exe_dir>/rules
<exe_dir>/../share/cyprobe/rules

Point $CYPROBE_RULES at the rules/ directory from the repo if none of these match.

Next step

Passive mode

System requirements​

Cargo (from source)​

Build from source​

Cross-compile for ARM​

Raw binary​

Verify your install​

Troubleshooting​

Permission denied or Operation not permitted​

Rules: 0​

Next step​