Knowledge Base
cancel
Showing results for 
Search instead for 
Did you mean: 

BACnet MSTP Wireshark capture decoding

Issue

BACnet MSTP Wireshark capture

Environment

Schneider Electric StruxureWare Building Operation AS using MSTP for BACnet

Cause

Example of Wireshark capture and WriteProperty in MSTP
  

Resolution

Using Wireshark, a bacapp.confirmed_service == 15 filter is applied which shows only BACnet WriteProperty packets

Below is a screenshot of the Wireshark screen after applying the filter. I have Requests (REQ) and Acknowledgements (ACK) shown:

Below is a Request, and clarification on what is Requested. A third party Metz (address 91) device is requested from the AS (address 0) for Analog Value 1 to be 0.00

Below is a Request, and clarification on what is Requested. A third party Metz (address 91) device is requested from the AS (address 0) for Analog Value 1 to be a value of 100.00

Filters which may be useful:

Capture Filters  
udp port 47808 BACnet/IP packets on UDP port 47808
udp port 47808 or udp port 47809 BACnet/IP packets on UDP port 47808 or 47809
Display Filters  
bvlc || bacnet || bacapp all BACnet packets
bacnet BACnet NPDU packets
bacnet.mesgtyp BACnet Network Layer (router) packets
bvlc BACnet/IP packets
bvlc.function == 0x0b BACnet/IP Broadcast packets
bacapp APDU packets
bacapp.confirmed_service == 12 readProperty packets
bacapp.confirmed_service==14 readPropertyMultiple
bacapp.confirmed_service == 15 writeProperty packets
bacapp.confirmed_service==16 writePropertyMultiple
bacapp.confirmed_service==1 confirmedCOVNotification
bacapp.confirmed_service==5 subscibeCOV
bacapp.unconfirmed_service == 0 I-Am packets
bacapp.unconfirmed_service == 8 WhoIs packets
bacapp.unconfirmed_service == 2 unconfirmedCOVNotification packets
bacapp.unconfirmed_service==3 unconfirmedEventNotificatoin
bacapp.unconfirmed_service==6 timeSynchronization
   
mstp.frame_type>2 exclude all token passing
mstp.frame_type>127 view all proprietary traffic
mstp.frame_type==0 only token passing
mstp.frame_type==1 only poll for master
mstp.frame_type==2 only poll for master responses
bacapp.instance_number==[BACnet ID] all traffic from/to a specific ID
mstp.dst==[MAC address] all traffic to a specific MSTP address
mstp.src==[MAC address] all traffic from a specific MSTP address
ip.dst==[IP address] all traffic to a specific IP address
ip.src==[IP address] all traffic from a specific IP address
   
 || (between filters) combines above filters (or)
 && (between filters) combines above filters (and)

 

Also check out the BACnet-Capturing MS/TP Traffic Quick-Help video on the Exchange.

Tags (2)
Labels (1)
Version history
Revision #:
1 of 1
Last update:
‎2018-09-10 10:33 PM
Updated by: