Modbus TCP protocol is a famous and widely used industrial communication protocol for many supervisory control and data acquisition (SCADA) systems. However, with an increasing number of attacks on industrial control systems, honeypot systems must be deployed to collect attacking patterns and understand them clearly. Therefore, identifying potential attacking patterns from honeypots and providing a clear graphical user interface to express attacks are essential. In this paper, we propose an intrusion detection method that uses a honeypot for the Modbus TCP protocol. The proposed method uses an unsupervised clustering method based on log sequence similarity to cluster attacking behaviors, followed by a flow-based graph to express extracted representative attacks. Our method was implemented using the open-source honeypot system Conpot to collect attacking behaviors on Modbus TCP. The experimental results revealed that the proposed method has 90% accuracy for identifying attacking patterns, and can detect unexpected ones at 92% true positive and 0% false positive rates.