Tool box Essentials: Using Wireshark to Troubleshoot BACnet IP Issues

Often when handling support issues I ask customers to take a Wireshark capture in order to help diagnose and isolate the root cause of networking issues. Most technicians I work with are already familiar with this free utility but every once and a while I come across someone who isn’t familiar with it at all or has only heard about it in passing from other techs. Wireshark is a free, open source, packet capture utility that can be used to analyze network traffic in general and includes functionality to capture and inspect BACnet packets right out of the box. I generally like to capture all network traffic and then filter down to only the packets I’m interested in but filters can be applied to the desired network interface before capturing begins to save on space, the following screenshot shows how to filter on the standard BACnet UDP port of 47808:

At this point it’s important to note that Wireshark will only be able to capture what the machine running it can see on the network. We recommend using a diagnostic switch in front of the device you’re working with, as unicast messages will likely not be picked up by the NIC directly; this will mirror all traffic going to and from that device to your machine, giving you a better view of the traffic you are interested in.
Wireshark captures lots of data, even with an interface filter set. In the main interface you can apply additional filters to narrow this down to just the relevant packets based on many metrics. Filters can be applied based on device IP address to focus on a specific device, various BACnet services and commands, as well as BACnet networks and device IDs. Here is a table of some examples of the available BACnet filters:

Capture Filters
udp port 47808 BACnet/IP packets on UDP port 47808
udp port 47808 or udp port 47809 BACnet/IP packets on UDP port 47808 or 47809
Display Filters
bvlc || bacnet || bacapp All BACnet packets
bacnet BACnet NPDU packets
bacnet.mesgtyp BACnet Network Layer (router) packets
bvlc BACnet/IP packets
bvlc.function == 0x0b BACnet/IP Broadcast packets
bacapp BACnet APDU packets
bacapp.confirmed_service == 12 BACnet ReadProperty packets
bacapp.confirmed_service == 15 BACnet WriteProperty packets
bacapp.unconfirmed_service == 0 BACnet I-Am packets
bacapp.unconfirmed_service == 8 BACnet WhoIs packets
bacapp.unconfirmed_service == 2 BACnet UnconfirmedCOVNotification packets

For a full list of capture filters available, click on the “Expression…” button next to the display filter bar and drill down into the desired service.

This is just a cursory introduction to Wireshark for BACnet Technicians, it really is a very powerful tool to have handy when dealing with troublesome networks. See Steve Karg’s article Analyzing BACnet for more in depth information. Also recommended is this video from Optigo Networks, Troubleshooting BACnet in Wiresharkfor a good visual introduction.