Listening mode

Cysense operates in passive mode by default — it captures and analyzes traffic without injecting any packets into the network.

Start listening

sudo cysense listen --interface eth0

Duration-limited capture

# Capture for 1 hour, then stop
sudo cysense listen --interface eth0 --duration 3600

BPF filtering

Apply Berkeley Packet Filter expressions to narrow captured traffic:

# Only Modbus traffic
sudo cysense listen --interface eth0 --filter "tcp port 502"

# Only HL7 traffic
sudo cysense listen --interface eth0 --filter "tcp port 2575"

# Only DICOM traffic
sudo cysense listen --interface eth0 --filter "tcp port 104"

Promiscuous mode

Capture all traffic on the network segment, not just packets addressed to this interface:

sudo cysense listen --interface eth0 --promisc

Anomaly detection

Enable anomaly detection to flag unusual traffic patterns:

sudo cysense listen --interface eth0 --anomaly

Anomalies include:

New devices appearing on the network
Protocol violations (malformed packets)
Traffic to unexpected ports
Unusual data volumes from OT devices

Output

# Save to JSON file
sudo cysense listen --interface eth0 --format json --output capture.json

# View captured asset inventory
cysense assets

Platform agent mode

Run as a persistent agent reporting to your Cybrium workspace:

sudo cysense listen --interface eth0 \
  --platform https://app.cybrium.ai \
  --token $CYBRIUM_API_TOKEN

In agent mode, cysense streams asset discoveries and anomalies to the platform in real time via the WebSocket connection.

Start listening​

Duration-limited capture​

BPF filtering​

Promiscuous mode​

Anomaly detection​

Output​

Platform agent mode​