Cysense — Passive Network Sensor
Cysense is a passive network sensor that captures traffic, dissects protocols, and discovers assets in IT/OT/IoMT environments. It identifies devices on the network without sending a single packet — ideal for hospital and industrial environments where active scanning can disrupt critical systems.
| Language | Rust |
| License | MIT |
| Source | github.com/cybrium-ai/cysense |
| Current version | 0.1.0 |
Capabilities
| Capability | Description |
|---|---|
| Packet capture | Passive traffic capture via libpcap with BPF filtering |
| Protocol dissection | TCP, UDP, HTTP, DNS, Modbus, HL7v2, DICOM, BACnet, S7comm |
| Asset discovery | Auto-discovers devices from observed traffic (MAC, IP, hostname, OS) |
| Purdue classification | Assigns Purdue Level (0-5) to discovered assets |
| Anomaly detection | Flags unusual traffic patterns, new devices, protocol violations |
| Output formats | JSON, human-readable text |
| Platform sync | Stream findings to your Cybrium workspace in real time |
Supported protocols
| Protocol | Domain | Purdue Level |
|---|---|---|
| HTTP/HTTPS | IT | Level 3-5 |
| DNS | IT | Level 3-5 |
| Modbus TCP | OT / Industrial | Level 0-2 |
| BACnet | Building automation | Level 1-2 |
| HL7v2 | Healthcare | Level 2-3 |
| DICOM | Medical imaging | Level 2-3 |
| S7comm | Siemens PLCs | Level 0-1 |
| FHIR (over HTTP) | Healthcare | Level 3-4 |
When to use cysense vs. the platform
| Scenario | Recommendation |
|---|---|
| Quick packet capture on a single interface | sudo cysense listen --interface eth0 |
| Persistent monitoring of hospital network | Deploy as a platform sensor via cysense agent |
| Asset inventory of an OT network segment | sudo cysense listen --duration 3600 && cysense assets |
| Multi-site continuous monitoring | Use the platform — it aggregates data from sensors across sites |