Public showcase for RustShield Field Auditor.
RustShield Auditor is a passive, local-first field evidence tool for early assessment of industrial and robotic networks. It analyzes offline PCAP/PCAPNG captures and sanitized lab fixtures to produce reproducible evidence packs with observed assets, protocol activity, risk findings, limitations and candidate RustShield gateway policies.
This public repository is intentionally scoped. It demonstrates the auditor workflow without publishing private project definition notes, internal implementation memory, real customer captures, appliance secrets or field evidence.
- Reads offline PCAP/PCAPNG files.
- Profiles Modbus TCP traffic at a conservative protocol level.
- Profiles MAVLink traffic at a conservative protocol level.
- Generates Markdown and JSON evidence reports.
- Generates reproducible evidence packs with artifact hashes.
- Provides synthetic lab fixtures for public validation.
- Includes a listen-only capture command guarded by explicit operator confirmation.
Default mode is passive and offline. The auditor reads pre-captured PCAP/PCAPNG files and synthetic lab fixtures; it does not open network connections or touch live traffic by default.
The analyze-pcap and validate-fixtures commands are read-only. The capture-passive command opens a local listen-only socket and requires an explicit --i-understand-passive-capture flag; it does not transmit, inject or modify traffic.
The auditor does not protect traffic inline. It observes, classifies, preserves reproducible evidence and proposes candidate policies for RustShield gateways. Deploying a gateway is a separate step that requires operator authorization, hardware access and testing outside the scope of this tool.
Protocol coverage is intentionally narrow. The Modbus TCP profile covers MBAP/PDU parsing without full TCP stream reassembly; it cannot safely infer register or coil semantics from traffic alone. The MAVLink profile covers v1/v2 framing and a subset of critical commands for ArduPilot Copter SITL; CRC validation and dialect-specific semantics are not implemented. Captures with packet loss, tunnels or unsupported link types will produce incomplete observations.
MAVLink signing is reported as observed or not observed. Signing presence is not cryptographic proof of authenticated traffic in this MVP; the auditor does not verify signatures or key material.
Findings in evidence packs are observations and inferences, not security certifications. Each finding includes explicit limitations. Results must be reviewed by an authorized operator with domain knowledge of the target network before drawing operational conclusions.
- No inline traffic protection: the auditor observes and reports; it does not block, filter or modify traffic.
- No certification or formal assurance approval.
- No complete OT protocol coverage: Modbus TCP profile is MVP-scope; Modbus RTU, DNP3, EtherNet/IP and other OT protocols are not handled.
- No complete UAV protocol coverage: MAVLink profile covers a subset of ArduPilot Copter commands; PX4, other autopilots and custom dialects are not covered.
- No MAVLink signing validation: signing presence is observed and reported, not cryptographically verified.
- No physical process semantics: Modbus register and coil meaning cannot be inferred safely from traffic alone without operator-provided context.
- No replacement for professional security audit, OT risk assessment or network segmentation.
- No production or operational deployment readiness.
cargo test
cargo run -- validate-fixtures --out target/public-demoThe public demo generates sanitized Modbus TCP and MAVLink fixtures, analyzes them offline and writes evidence packs under target/public-demo.
To analyze your own offline capture:
cargo run -- analyze-pcap sample.pcap --out target/evidence-packDo not publish real PCAPs or evidence packs unless they have been reviewed and sanitized.
rustshield-auditor analyze-pcap <pcap-path> --out <output-dir>
rustshield-auditor validate-fixtures --out <output-dir>
rustshield-auditor capture-passive --interface <iface> --duration-seconds <n> --out <output-dir> --i-understand-passive-capture
capture-passive is documented for controlled local use only. It requires explicit confirmation and is not used by the public demo.
The repository includes public documentation under docs/. The canonical reproducible demo is:
scripts/run-public-demo.shGenerated output is written to target/public-demo and is ignored by Git.
Included:
- Rust CLI source code.
- Synthetic fixture generation.
- Offline report and evidence-pack generation.
- Public documentation, claims and limitations.
- Responsible-use and security policy.
Excluded:
- Internal definition documents.
- Implementation memory and phase notes.
- Real field captures.
- Customer or lab network identifiers.
- Private evidence archives.
- Operational secrets, environment files and appliance-specific local state.
Licensed under either of:
- Apache License, Version 2.0
- MIT License
at your option.