Analyzing BACnet with Wireshark
Introduction
BACnet (Building Automation and Control Networks) is a communication protocol widely used in building automation systems. Wireshark is a powerful tool for capturing and analyzing BACnet traffic, making it invaluable for troubleshooting, development, and learning.
Setting Up Automatic BACnet Traffic Capture
To capture BACnet traffic automatically, follow these steps:
Open Command Prompt and navigate to the Wireshark installation directory:
cd C:\Program Files\WiresharkList available network interfaces:
dumpcap -DRead the interface list and note the number next to the interface that has your BACnet traffic. You will use this number after the
-iflag in the next step.Start a capture for BACnet traffic:
dumpcap -f "udp port 47808" -i 4 -a duration:5400 -w "C:\BACnet_Captures\BACnet_1.5Hour.pcapng"-f "udp port 47808": Filters for BACnet/IP traffic.-i 4: Specifies the network interface (replace4with your interface number).-a duration:5400: Sets the capture duration to 1.5 hours (5400 seconds).-w "C:\BACnet_Captures\BACnet_1.5Hour.pcapng": Saves the capture to the specified file.
Analyzing the Results
Viewing Captured Traffic
Wireshark displays a variety of BACnet services from various sources, as shown in the example below:

Figure 1: Wireshark displays a variety of BACnet services from various sources, useful for troubleshooting, development, or learning about the BACnet protocol.
Using Wireshark for Live Captures
To monitor or record BACnet traffic, ensure the following:
- The computer running Wireshark is connected to the same network as the BACnet devices.
- Use an Ethernet hub or a switch with port mirroring enabled to capture unicast traffic.
- The network interface supports promiscuous mode, which allows it to capture all packets on the network.
Configuring Capture Options
Select the network interface to monitor or capture through the Capture menu options (Interfaces or Options). The Capture Options dialog (Figure 2) provides the following settings:
- Capture Interface: Select the network interface to monitor.
- Real-Time Display: Enable or disable real-time packet display.
- Name Resolution: Resolve MAC, network, or transport names.
- Capture Filters: Limit captured packets to specific protocols or fields (e.g.,
udp port 47808for BACnet/IP traffic). - Stop Capture Options: Automatically stop capturing after a specified number of packets, megabytes, or minutes.

Figure 2: Wireshark Capture Options dialog box allows control of the capture display, name resolution, capture files, capture interface, capture filter, and stop conditions.
Filters for BACnet Traffic
Table 1: Capture Filters
| Capture Filter | Function |
|---|---|
udp port 47808 | BACnet/IP packets on UDP port 47808 |
udp port 47808 or udp port 47809 | BACnet/IP packets on UDP ports 47808 or 47809 |
Note: A capture filter will only capture packets that meet the filter criteria.
Table 2: Display Filters
| Display Filter | Function |
|---|---|
bvlc,bacnet,bacapp | BACnet packets |
bacnet | BACnet NPDU packets |
bacnet.mesgtyp | BACnet Network Layer (router) packets |
bvlc | BACnet/IP packets |
bvlc.function == 0x0b | BACnet/IP Broadcast packets |
bacapp | BACnet APDU packets |
bacapp.confirmed_service == 12 | BACnet ReadProperty packets |
bacapp.confirmed_service == 14 | BACnet ReadPropertyMultiple packets |
bacapp.confirmed_service == 15 | BACnet WriteProperty packets |
bacapp.unconfirmed_service == 0 | BACnet I-Am packets |
bacapp.unconfirmed_service == 8 | BACnet WhoIs packets |
bacapp.unconfirmed_service == 2 | BACnet UnconfirmedCOVNotification packets |
bacapp.confirmed_service == 5 | Subscribe COV |
bacapp.confirmed_service == 6 | Atomic Read File |
bacapp.confirmed_service == 18 | Confirmed Private Transfer |
bacapp.unconfirmed_service == 6 | Time Sync Packets |
Note: Display filter expressions can be combined using logical operators such as
and,or,xor, andnot. Comparison operators like==,!=,>,<,>=, and<=can also be used. Refer to the Wireshark Help Contents for more details.
Advanced Tips
- Capture File Management: Save captures in smaller chunks to avoid data loss in case of interruptions.
- Promiscuous Mode: Ensure your network interface supports promiscuous mode for comprehensive traffic analysis.
- Legal Considerations: Verify that capturing network traffic complies with local laws and regulations.
Troubleshooting
Common Issues
No BACnet Traffic Captured:
- Verify the network interface is correctly selected.
- Ensure the capture filter is set to
udp port 47808.
Promiscuous Mode Not Supported:
- Check your network interface card (NIC) specifications.
- Use a compatible NIC or an external USB Ethernet adapter.
Unicast Traffic Not Visible:
- Use an Ethernet hub or enable port mirroring on the switch.
Tip: Refer to the Wireshark User Guide for more details and advanced configurations.