Issue
BACnet MSTP Wireshark capture
Product Line
EcoStruxure Building Operation
Environment
Schneider Electric StruxureWare Building Operation AS using MSTP for BACnet
Cause
Example of Wireshark capture and WriteProperty in MSTP
Resolution
Using Wireshark, a bacapp.confirmed_service == 15 filter is applied which shows only BACnet WriteProperty packets
Below is a screenshot of the Wireshark screen after applying the filter. I have Requests (REQ) and Acknowledgements (ACK) shown:
Below is a Request, and clarification on what is Requested. A third party Metz (address 91) device is requested from the AS (address 0) for Analog Value 1 to be 0.00
Below is a Request, and clarification on what is Requested. A third party Metz (address 91) device is requested from the AS (address 0) for Analog Value 1 to be a value of 100.00
Filters which may be useful:
| Capture Filters | |
| udp port 47808 | BACnet/IP packets on UDP port 47808 |
| udp port 47808 or udp port 47809 | BACnet/IP packets on UDP port 47808 or 47809 |
| Display Filters | |
| bvlc || bacnet || bacapp | all BACnet packets |
| bacnet | BACnet NPDU packets |
| bacnet.mesgtyp | BACnet Network Layer (router) packets |
| bvlc | BACnet/IP packets |
| bvlc.function == 0x0b | BACnet/IP Broadcast packets |
| bacapp | APDU packets |
| bacapp.confirmed_service == 12 | readProperty packets |
| bacapp.confirmed_service==14 | readPropertyMultiple |
| bacapp.confirmed_service == 15 | writeProperty packets |
| bacapp.confirmed_service==16 | writePropertyMultiple |
| bacapp.confirmed_service==1 | confirmedCOVNotification |
| bacapp.confirmed_service==5 | subscibeCOV |
| bacapp.unconfirmed_service == 0 | I-Am packets |
| bacapp.unconfirmed_service == 8 | WhoIs packets |
| bacapp.unconfirmed_service == 2 | unconfirmedCOVNotification packets |
| bacapp.unconfirmed_service==3 | unconfirmedEventNotification |
| bacapp.unconfirmed_service==6 | timeSynchronization |
| mstp.frame_type>2 | exclude all token passing |
| mstp.frame_type>127 | view all proprietary traffic |
| mstp.frame_type==0 | only token passing |
| mstp.frame_type==1 | only poll for master |
| mstp.frame_type==2 | only poll for master responses |
| bacapp.instance_number==[BACnet ID] | all traffic from/to a specific ID |
| mstp.dst==[MAC address] | all traffic to a specific MSTP address |
| mstp.src==[MAC address] | all traffic from a specific MSTP address |
| ip.dst==[IP address] | all traffic to a specific IP address |
| ip.src==[IP address] | all traffic from a specific IP address |
| || (between filters) | combines above filters (or) |
| && (between filters) | combines above filters (and) |
Also check out the BACnet-Capturing MS/TP Traffic Quick-Help video on the Exchange.
