Protocol models

ProtoCrawler uses structured protocol models to facilitate the automatic generation and analysis of intelligent fuzz tests

How is a protocol model made up?

Data Model

The Data Model defines data formats, types and dependencies and tells ProtoCrawler everything it needs to know to understand the content and format of the messaging over the communications interface.


The State Model captures information about how the target interface moves between different states based on the messages that are sent and received. Whilst some protocols are stateless, others have important restrictions and constraints according to the state that has been reached. Specific testing needs can be defined, such as higher coverage of messages that are processed before the sender has been authenticated.


The Application Context contains contextual data used to execute a protocol, e.g., identifiers and keys required to complete a cryptographic handshake. When defining tests using the application context, it is frequently useful to define abstract goals. This can significantly simplify the specification of some types of tests and allows the developer to focus test resources on more interesting areas.

The following protocols are currently supported by ProtoCrawler:
(we update our protocol list regularly, so if you can’t see your protocol listed, just contact us)

Electrical and data specification for communication between sonars, GPS receivers (etc.) and other marine devices.

Coming soon


Transport Layer Security (TLS) provides client/server application communications security over the internet.

Coming soon

The Open Charge Point Interface protocol (OCPI) supports connections between e-Mobility Service Providers and Electric Vehicle Charge Point Operators who manage charge stations to enable automated roaming between charge point networks.

Coming soon

Open Automated Demand Response (OpenADR) is an information exchange model and global Smart Grid standard which provides a non-proprietary, open standardised Demand Response interface allowing electricity network operators to communicate Demand Response signals to end customers.

Coming soon

The Open Smart Charging Protocol (OSCP) is an open communication protocol between a Charge Point Management System managed by a Charge Point Operator, and an energy management system operated by a Distribution Network Operator for the purposes of capacity forecasting. OSCP is partly based on OCPP messaging.

Coming soon

ISO 15118 is an international standard that defines a two-way, high-level communication protocol between Electric Vehicles and Charge Point stations aimed at promoting plug and charge interoperability between vendors. The protocol supports bi-directional communications to facilitate both grid-to-vehicle and vehicle-to-grid information exchange.

The Open Charge Point Protocol (OCPP) is an open communication standard that supports communications between Charging Station Management Systems operated by Charge Point Operators, and Charge Point station equipment from different vendors to easily communicate with each other.

Used for defining the characteristics of drivers and receivers in serial communication applications.

Definitions and transmission protocols for proximity cards (otherwise known as tokens), typically used for verifying ID and controlling access.

NXP variant of IEC14443 Type A smart card standard including AES, DES and triple DES encryption standards.

Developed by IEC TC57. Used for telecontrol/teleprotection applications (SCADA), mainly within the Utilities space.

Facilitates data transmission between two permanently connected circuits and enables interoperability between different suppliers.

Typically used for SCADA applications, mainly in the utilities sector. Facilitates communication between control centres, remote terminal units (RTUs) and  IEDs.

Widely deployed in digital substations. Part of the IEC 61850 standard, used to transfer real time process data and supervisory control information between networked devices or computer applications.

Defines a set of standard objects, messages and encoding rules.

Widely deployed in digital substations. Part of the IEC61850 standard, used to group data formats into data sets and therefore facilitate fast data transmission (less then 4 milliseconds).

Commonly used to connect electronic devices (e.g. RTUs/PLCs) with (e.g.) a master controller in an industrial control system.

Uses serial, ethernet or IP as a transport layer depending on the application.

A rather well known standard/naming system for anything that connects to the internet or a private network.

Allows text-based domain names to be translated to numerical IP addresses. The protocol itself handles the data structures/exchanges as part of the wider IP suite.

Latest version of IP to replace IPv4.  Used for identification/location of computers and internet traffic routing.

Still used to route most internet traffic today, but gradually being replaced by IPv6.

Used to automatically assign IP addresses to devices that want to be connected to an IP network.

Users a client/server arrangement (client uses DHCP to request information from the server). This is the IPv6 variant of the protocol.

Used to automatically assign IP addresses to devices that want to be connected to an IP network.

Users a client/server arrangement (client uses DHCP to request information from the server). This is the IPv4 variant of the protocol.

Used to time synchronize all participating computers to within a few milliseconds of UTC. Sends and receives timestamps using UDP.

A very well known family of network protocols used for wirelessly connecting laptops, phones etc. to a router and then to the internet – typically 2.4GHz.

Coming soon

Used to exchange data between wired and wireless devices and creating personal area networks, over short distances using 2.4GHz.

Used (globally) for smart metering data exchange. Developed and maintained by the DLMS User Association (and also referred to as IEC 62056), the standard defines a set of interface classes or COSEM objects (Blue book) and supporting protocols (Green book).

Note: some parts of the world have different metering standards which use aspects/variants of DLMS (e.g. GBCS (UK), G3 PRIME etc.)

Simulates a GBCS Comms Hub. Supports functional security testing of GB smart metering equipment.

See also: ESME and GSME VER scripts for CPA.

Zigbee is widely used to create personal area networks using low power digital radios, to enable wireless home automation.

Within smart metering, the Zigbee Smart Energy profile enables the establishment of a home area network (HAN) between monitoring (smart meters), in-home displays (IHDs) and/or control devices.

Used in telecommunications, networking and cryptography. Defines human and machine readable data structures that can be serialised/deserialised cross-platform.

Defines communication requirements, specifically for GB smart meters. It handles the requirements for communication between a) smart metering devices and b) the data and communications company (DCC) – the latter of which is essentially the head end system for all non-GB readers!

The protocol includes aspects of DLMS (and makes reference to the Green book/Blue book) and Zigbee Smart Energy, both of which we support.

Interested? Book a demo with our team of specialists

Find out more about ProtoCrawler

Product Overview

Deploy our advanced fuzz testing software to discover and tackle security vulnerabilities that you might have overlooked.


Intelligent Test Generation​

Define coverage based on the time you have available and generate a myriad of intelligent, automated tests with just a few clicks.

Automated Analysis​

Analyse results automatically and get all the information you need to prioritise, diagnose and tackle your security issues.


Registered Office:
90 Lincoln Road

Company number 12575467
© Copyright 2022 CyTAL UK Ltd