IDS in the industrial control network environment can detect whether there is abnormal network packet behavior in the industrial control network environment, remind factory personnel that the communication of each computer in the factory is not attacked by external hackers, and prompt internal malicious employees Abnormal network packet behavior. We rely on "hearing" all the packets of the switch or router in the factory to let everyone "see" the purdue model and asset inventory table of the factory network, and teach you to see the normal and abnormal behaviors in the industrial control network; we will share Actual cases to see WannaCry's abnormal behavior will also introduce the importance of industrial control internal network isolation. Through a few actual cases, we can open the audience's eyes and see the abnormal behavior on the industrial control network. Except, the communication between the machine and the machine in the factory is like the communication between the Boss and the Servant. The language of communication may be Chinese, English, French, Japanese, but it may also be an unknown dialect (Unknown Protocol), so we will introduce the analysis of the Unknown Protocol.