Analyzing BACnet with Wireshark

Analyzing BACnet with Wireshark

Introduction

BACnet (Building Automation and Control Networks) is a communication protocol widely used in building automation systems. Wireshark is a powerful tool for capturing and analyzing BACnet traffic, making it invaluable for troubleshooting, development, and learning.

Setting Up Automatic BACnet Traffic Capture

To capture BACnet traffic automatically, follow these steps:

  1. Open Command Prompt and navigate to the Wireshark installation directory:

    cd C:\Program Files\Wireshark
    
  2. List available network interfaces:

    dumpcap -D
    

    Read the interface list and note the number next to the interface that has your BACnet traffic. You will use this number after the -i flag in the next step.

  3. Start a capture for BACnet traffic:

    dumpcap -f "udp port 47808" -i 4 -a duration:5400 -w "C:\BACnet_Captures\BACnet_1.5Hour.pcapng"
    
    • -f "udp port 47808": Filters for BACnet/IP traffic.
    • -i 4: Specifies the network interface (replace 4 with your interface number).
    • -a duration:5400: Sets the capture duration to 1.5 hours (5400 seconds).
    • -w "C:\BACnet_Captures\BACnet_1.5Hour.pcapng": Saves the capture to the specified file.

Analyzing the Results

Viewing Captured Traffic

Wireshark displays a variety of BACnet services from various sources, as shown in the example below:

Wireshark BACnet Traffic

Figure 1: Wireshark displays a variety of BACnet services from various sources, useful for troubleshooting, development, or learning about the BACnet protocol.

Using Wireshark for Live Captures

To monitor or record BACnet traffic, ensure the following:

  • The computer running Wireshark is connected to the same network as the BACnet devices.
  • Use an Ethernet hub or a switch with port mirroring enabled to capture unicast traffic.
  • The network interface supports promiscuous mode, which allows it to capture all packets on the network.

Configuring Capture Options

Select the network interface to monitor or capture through the Capture menu options (Interfaces or Options). The Capture Options dialog (Figure 2) provides the following settings:

  • Capture Interface: Select the network interface to monitor.
  • Real-Time Display: Enable or disable real-time packet display.
  • Name Resolution: Resolve MAC, network, or transport names.
  • Capture Filters: Limit captured packets to specific protocols or fields (e.g., udp port 47808 for BACnet/IP traffic).
  • Stop Capture Options: Automatically stop capturing after a specified number of packets, megabytes, or minutes.

Wireshark Capture Options

Figure 2: Wireshark Capture Options dialog box allows control of the capture display, name resolution, capture files, capture interface, capture filter, and stop conditions.

Filters for BACnet Traffic

Table 1: Capture Filters

Capture FilterFunction
udp port 47808BACnet/IP packets on UDP port 47808
udp port 47808 or udp port 47809BACnet/IP packets on UDP ports 47808 or 47809

Note: A capture filter will only capture packets that meet the filter criteria.

Table 2: Display Filters

Display FilterFunction
bvlc,bacnet,bacappBACnet packets
bacnetBACnet NPDU packets
bacnet.mesgtypBACnet Network Layer (router) packets
bvlcBACnet/IP packets
bvlc.function == 0x0bBACnet/IP Broadcast packets
bacappBACnet APDU packets
bacapp.confirmed_service == 12BACnet ReadProperty packets
bacapp.confirmed_service == 14BACnet ReadPropertyMultiple packets
bacapp.confirmed_service == 15BACnet WriteProperty packets
bacapp.unconfirmed_service == 0BACnet I-Am packets
bacapp.unconfirmed_service == 8BACnet WhoIs packets
bacapp.unconfirmed_service == 2BACnet UnconfirmedCOVNotification packets
bacapp.confirmed_service == 5Subscribe COV
bacapp.confirmed_service == 6Atomic Read File
bacapp.confirmed_service == 18Confirmed Private Transfer
bacapp.unconfirmed_service == 6Time Sync Packets

Note: Display filter expressions can be combined using logical operators such as and, or, xor, and not. Comparison operators like ==, !=, >, <, >=, and <= can also be used. Refer to the Wireshark Help Contents for more details.

Advanced Tips

  • Capture File Management: Save captures in smaller chunks to avoid data loss in case of interruptions.
  • Promiscuous Mode: Ensure your network interface supports promiscuous mode for comprehensive traffic analysis.
  • Legal Considerations: Verify that capturing network traffic complies with local laws and regulations.

Troubleshooting

Common Issues

  1. No BACnet Traffic Captured:

    • Verify the network interface is correctly selected.
    • Ensure the capture filter is set to udp port 47808.
  2. Promiscuous Mode Not Supported:

    • Check your network interface card (NIC) specifications.
    • Use a compatible NIC or an external USB Ethernet adapter.
  3. Unicast Traffic Not Visible:

    • Use an Ethernet hub or enable port mirroring on the switch.

Tip: Refer to the Wireshark User Guide for more details and advanced configurations.

docs