Search operators

ICS Tracker is a search engine for internet-exposed ICS and OT assets. We continuously scan the public IPv4 space on Modbus (502), DNP3 (20000), BACnet (47808), and OPC-UA (4840). When a device responds, we sweep all 65,535 ports on that host and fingerprint every web panel we find.

This page documents every operator the search bar accepts. All operators can be combined in a single query.

Quick reference

Operator	Example	Matches
`port:N`	`port:502`	Exposed services on TCP/UDP port N
`proto:NAME`	`proto:modbus`	Protocol: modbus, dnp3, bacnet, opc-ua, http, https, vnc
`server:STRING`	`server:Siemens`	Substring of the `Server:` HTTP header
`geo:CC`	`geo:DE`	ISO 3166 country code (US, DE, KR, BR, CN, …)
`url:STRING`	`url:/cgi-bin`	Path / URL fragment of the indexed response
`html:STRING`	`html:"login"`	Literal substring of the response body
`asn:NUMBER`	`asn:4766`	BGP ASN of the host network
`status:CODE`	`status:200`	HTTP status code of the indexed response
`ip:ADDRESS`	`ip:80.151.53.10`	Exact IP match (single host)
`net:CIDR`	`net:80.151.53.0/24`	All IPs inside a network block. Capped at /20 (4096 hosts) — bigger blocks return no matches.
`favicon:HASH`	`favicon:cec7af18a5cff18c2518ad652b0e516e`	MD5 of the device's `/favicon.ico`. Click any tile in /stats/ or any hash in a node page to auto-fill.
`htmlhash:HASH`	`htmlhash:12aeaed6744a63ec37a7f621cefc11d4d75583225c1e533e933dc57e6dd99683`	SHA-256 of the indexed HTML body. Click any HTML hash on a result card or node page to find all devices serving the same response.
`ssl:STRING`	`ssl:expired`	SSL cert filter (states: `valid`, `expired`, `self-signed`) or substring of the cert subject.
`city:STRING`	`city:Berlin`	GeoIP city name (case-insensitive substring)

Operators are AND-combined. A query like port:502 geo:US returns Modbus devices hosted in the United States, not Modbus devices OR US devices.

Protocols we probe

The primary-probe ports are the ones our scanners touch every pass:

502 — Modbus (most-deployed ICS protocol)
20000 — DNP3 (utility / SCADA)
47808 — BACnet (building automation)
4840 — OPC-UA (modern ICS data layer)

When a device answers on any of these, we follow up with a full 65k-port sweep to catalogue every HTTP/HTTPS panel, VNC screen, and Telnet/SSH banner. That is why you will also see results on ports like 80, 443, 8080, 5800, etc. — those are web applications running on ICS hosts we have already validated.

Examples

Find Modbus devices in a country

port:502 geo:KR

Devices inside an ISP block (CIDR)

net:188.38.146.0/24

Combine with another operator to narrow further: net:188.38.146.0/24 port:2000 finds the Wago PLCs in that subnet.

BACnet controllers by vendor

port:47808 server:Tridium

Legacy web panels on ICS hosts

server:"Apache/2.4.10" url:/cgi-bin

OPC-UA with specific certificate keywords

proto:opc-ua html:"UA Configuration Tool"

VNC screens exposed on Modbus hosts

proto:vnc port:5900

Honeypots filtered out

Suspected honeypots are tagged at index time. They do not appear in the default result set. To explicitly include them, add include:honeypot. To see only suspected honeypots:

only:honeypot proto:dnp3

Geography

Geo codes follow the ISO 3166-1 alpha-2 spec. Examples: US, DE, KR, CN, TR, FR, ES, BR, JP, RU. Countries with no known localisation appear as empty (shown as geo: with no value).

Using the API

Every operator available in the web UI is also accepted by the REST API. See the API reference for request schemas and authentication.

Rate limits

The free tier permits 30 searches per minute and 50 results per query. Higher quotas and CSV/JSON export are available on paid plans (see pricing).

Contact

Questions, dataset requests, or commercial enquiries: [email protected].