The invention discloses an industrial control flow acquisition and protocol analysis method. The method comprises the following steps: acquiring data based on a mirror image port of an industrial control network switch; preprocessing the acquired data, wherein the preprocessing comprises restoring a network session of a transmission layer, identifying an application protocol and extracting structured metadata; respectively carrying out classified storage on the network session passing through the reduction transmission layer, identifying an application protocol and extracting various types ofdata subjected to structured metadata processing; and according to a set rule, monitoring and analyzing the classified and stored data, and finding out abnormal data. According to the invention, flowdata is accessed in a mirror image mode, so that risk hidden troubles during deployment of series equipment are avoided. Meanwhile, a five-layer processing architecture of acquisition, preprocessing,analysis, storage and return is established, the effect of each architecture level is clear, a clear guiding effect is achieved for acquisition and analysis of industrial control flow, and role overlapping of each layer is avoided.