Capture BACnet MSTP Traffic with Tshark

Issue

When using mstpcap.exe to capture, it automatically stops after 65535 packets. Similarly, when using Wireshark, it will stop capturing if the dissector encounters an issue. This article provides a solution to continuously capture BACnet MS/TP traffic in a ring buffer and store it as files.

Product Line

Andover Continuum, EcoStruxure Building Operation, TAC IA Series

Environment

• Wireshark
• Any BACnet MSTP RS-485 network

Cause

Analyze BACnet traffic via capture files.

Resolution

1. Install Wireshark.
   1. Ensure TShark is checked when installing options. 
      
   2. Ensure Wireshark is installed with Npcap (default) or WinPCap has been installed by IA Series Workplace Tech.
2. Install mstpcap.exe referencing BACnet MSTP Capture Application. Ensure that mstpcap.exe has been configured for the correct port and baud rate. Here is an example for Command Prompt and PowerShell:

   # Command Prompt
   cd "C:\Program Files\Wireshark\extcap"
   mstpcap.exe com3 38400
   
   # PowerShell
   cd 'C:\Program Files\Wireshark\extcap'
   ./mstpcap.exe com3 38400

3. Run Tshark to determine the interface being used by mstpcap so that one can reference it by number. For this example, we are going to choose 9. COM3 (BACnet MS/TP on COM3). Please change the number below to the number of your interface. 
4. Start Tshark capture by entering the following command, updating as needed. The commands below save Test01.pcap to the Username's desktop. Please store to a location that the user has access to write. 

   # Command Prompt
   cd "C:\Program Files\Wireshark"
   tshark.exe -i 9 -b duration:3600 -b files:72 -w "C:\Users\Username\Desktop\Desktop\Test01.pcap​"​
   
   # PowerShell
   cd 'C:\Program Files\Wireshark'
   ./tshark.exe -i 9 -b duration:3600 -b files:72 -w 'C:\Users\Username\Desktop\Desktop\Test01.pcap​'

Note:

• Change -i 9 to the number of the interface on the capturing machine.
• Change -b duration to time in seconds (3600 is one hour).
• Change -b files to the number of files to cycle through (72 is 3 days of 1-hour captures, 3x24).
• Change -w to write to the location and filename you choose.
• Change \Username\ to your Windows User, if you want to save to that user's Desktop

Reference: tshark(1) Manual Page (wireshark.org)