# GlassMarlin, The successor to GrassMarlin > One file. PCAP in. Full OT/ICS triage workbench out. No Wireshark, no Python, no Docker, no internet. Defender-on-a-laptop tooling for engagements where the host has nothing. *Canonical HTML: https://grassmarlin.com/glassmarlin/* *Markdown source: https://grassmarlin.com/glassmarlin.md* *Français: https://grassmarlin.com/fr/glassmarlin.md* --- GlassMarlin is the desktop successor to GrassMarlin. **One file. PCAP in. Full OT/ICS triage workbench out. No Wireshark required. No Python install. No Docker. No internet. No team server.** Defender-on-a-laptop tooling for OT engagements where the host has nothing. Source repository: [github.com/eris-ot/glassmarlin](https://github.com/eris-ot/glassmarlin). ## Lineage GrassMarlin was the NSA-released OT topology mapper that field defenders quietly carried on engagement laptops for years. It worked, until it didn't. Abandoned in 2017, Java-bound, single-platform, no longer maintained. [CVE-2026-6807](https://nvd.nist.gov/vuln/detail/CVE-2026-6807) (April 2026) made it actively unsafe to keep using. GlassMarlin picks up where it left off. Same defender utility, modernised, cross-platform, with the full risk + MITRE ATT&CK + IOC + baseline + sub-PCAP-carve stack on top of topology mapping. Same drop-it-on-a-laptop spirit. Zero external dependencies. Full lineage on the [GrassMarlin heritage page](/wiki/heritage.md). ## No external dependencies. Period. Every dependency ships inside the binary: - **Native bundle per OS.** GlassMarlin.msi for Windows. GlassMarlin.dmg for macOS (signed, Gatekeeper-clean). GlassMarlin.AppImage for Linux (any glibc 2.28+ host). - **Pure-Rust PCAP dissection.** No libpcap, no Npcap, no Wireshark install, no `tshark` shell-out, no `editcap`. `marlinspike-dpi` handles parsing and time-window carve-out natively in Rust. - **Python runtime baked in.** Bundled via `python-build-standalone`. No `pip install`, no venv, no system Python. - **Embedded SQLite, no DB server.** Everything that grassmarlin.com stores in Postgres, GlassMarlin keeps in an embedded SQLite file in the per-user data directory. - **No internet required, ever.** No telemetry, no license check, no MITRE updates fetched at runtime. The ATT&CK runtime and plugin packs are baked into the binary. Runs in SCIFs, bunkers, and on flights. - **SIEM-ready exports.** Every scan emits report.json + OCSF NDJSON + STIX 2.1 + Sigma rules + ATT&CK Navigator layer JSON, alongside the workbench view. ## What it does GlassMarlin is the full MarlinSpike triage stack on a binary, not just topology: - **Topology + asset fingerprinting.** Purdue-level inference, vendor fingerprinting, asset role detection. 30+ OT protocol dissectors: Modbus, S7, DNP3, IEC 60870-5-104, EtherNet/IP, OPC UA, BACnet, PROFINET, OMRON FINS, HART-IP, EtherCAT, Sparkplug B, IEC 61850 (MMS / GOOSE / SV), and more. - **Risk findings, IEC 62443 mapped.** Cross-Purdue communications, cleartext engineering, beaconing, suspicious external comms, port scans, missing authentication, OPC `SecurityMode=None`, Modbus writes from unexpected sources, each with IEC 62443 SR mapping and remediation guidance. - **MITRE ATT&CK alignment.** Every finding mapped to techniques (ICS + Enterprise). Tactic-matrix workbench view. One-click export to ATT&CK Navigator layer JSON. - **IOC threat hunting.** Paste a CISA advisory, ingest a STIX bundle, or hand-curate a list. Scan a capture's nodes, DNS queries, flows, and payloads against IPs / domains / SHA-256 / MD5 / MACs / OUIs. - **Per-asset baselines + drift.** Walks every capture you've loaded and shows what changed for a given host, new peers, new protocols, new findings since last time, drift in vendor / role / device type. - **Time-window sub-PCAP carve-out.** Drag a span on the capture timeline, extract just those packets as a sub-PCAP for Wireshark. The drag is local, no upload, no server. Pure Rust, no `editcap`. ## GlassMarlin vs grassmarlin.com | Aspect | grassmarlin.com (web) | GlassMarlin (desktop) | |---|---|---| | Deployment | Docker Compose, reverse proxy, persistent volumes | One signed installer per OS, embedded runtime | | User model | Multi-user with auth, projects scoped per-user | Single-user, local only | | OS target | Linux container (any host with Docker) | Windows .msi, macOS .dmg, Linux .AppImage | | External tooling | tshark in the container, libpcap on the host | None, Rust dissection, no Wireshark needed | | Database | PostgreSQL service | Embedded SQLite, single file | | Internet | Optional (for ATT&CK Navigator export) | Never. Period. | | Engine | Same MarlinSpike engine and plugins | Same MarlinSpike engine and plugins | | Report artifact | Portable JSON, reviewable anywhere | Portable JSON + OCSF + STIX + Sigma + ATT&CK Navigator | | Best fit | Engagement teams, shared field hosts, lab servers | Defender on a laptop, air-gapped hosts, SCIFs, plane rides | ## Who it's for The defender's local tool. The thing you put on the engagement laptop. The thing you run on an air-gapped host, on a flight to the site, in a vendor's SCIF, in a bunker. No infrastructure. No internet. No prep. - **The engagement laptop.** Throw GlassMarlin on the assessor laptop, fly to site, work the captures the OT operator hands you. No client-side dependencies to negotiate before the work starts. - **Air-gapped, SCIFs, bunkers.** Hosts with no internet, no Docker, no package manager, and no clearance to install third-party runtimes. GlassMarlin is one file: drop it on a USB, open the PCAP, work the project. ATT&CK / IEC 62443 / IOC packs are baked in, nothing fetched at runtime. - **Training, tabletops, classrooms.** Drop GlassMarlin on the AD share or the USB you handed out at registration. Twenty students each have their own MarlinSpike running in 30 seconds. No server to provision, no Docker to teach. ## What GlassMarlin isn't - **Not multi-user.** No auth backends, no multi-tenant scoping, no shared URL. If two analysts need to look at the same project, they each open the file locally, or they pull it into a [grassmarlin.com](/) deployment for cross-engagement collaboration. - **No live capture.** PCAP-in, workbench-out. If you need a live sensor that talks to the team workbench, that's the `marlinspike-capd` sidecar on the server side, not on the laptop. - **Not Wireshark.** GlassMarlin is the OT triage layer on top of a PCAP (topology, asset context, ATT&CK alignment, findings) that Wireshark deliberately doesn't try to be. Read with Wireshark when you need packet bytes; drive the engagement with GlassMarlin. ## Download · v0.1.1 Signed installers for all three OSes are available on the GitHub Releases page. Every artifact is listed in `SHA256SUMS` with GPG and OpenTimestamps signatures alongside the release. **Windows (x86_64):** - `.msi` (managed deployments): [GlassMarlin_0.1.1_x64_en-US.msi](https://github.com/eris-ot/glassmarlin/releases/download/v0.1.1/GlassMarlin_0.1.1_x64_en-US.msi) - `.exe` (NSIS, hand-installs): [GlassMarlin_0.1.1_x64-setup.exe](https://github.com/eris-ot/glassmarlin/releases/download/v0.1.1/GlassMarlin_0.1.1_x64-setup.exe) **macOS (Apple Silicon):** - `.dmg` (signed and notarised, Gatekeeper-clean): [GlassMarlin_0.1.1_aarch64.dmg](https://github.com/eris-ot/glassmarlin/releases/download/v0.1.1/GlassMarlin_0.1.1_aarch64.dmg) - Intel macOS: planned, not yet shipped. **Linux (x86_64):** - `.AppImage` (any glibc 2.28+ host): [GlassMarlin_0.1.1_amd64.AppImage](https://github.com/eris-ot/glassmarlin/releases/download/v0.1.1/GlassMarlin_0.1.1_amd64.AppImage) - `.deb` (apt-managed systems): [GlassMarlin_0.1.1_amd64.deb](https://github.com/eris-ot/glassmarlin/releases/download/v0.1.1/GlassMarlin_0.1.1_amd64.deb) **Verify:** - [SHA256SUMS](https://github.com/eris-ot/glassmarlin/releases/download/v0.1.1/SHA256SUMS) — checksums of every artifact - [SHA256SUMS.asc](https://github.com/eris-ot/glassmarlin/releases/download/v0.1.1/SHA256SUMS.asc) — GPG signature - [SHA256SUMS.ots](https://github.com/eris-ot/glassmarlin/releases/download/v0.1.1/SHA256SUMS.ots) — OpenTimestamps proof **Other channels:** - All releases (notes, prior versions): [github.com/eris-ot/glassmarlin/releases](https://github.com/eris-ot/glassmarlin/releases) - Source: [github.com/eris-ot/glassmarlin](https://github.com/eris-ot/glassmarlin) - Same engine, team server: [grassmarlin.com](/) (this site) - Same engine, hosted: [cloudmarlin.com](https://cloudmarlin.com)