Index | Prev | Next

Processing a forwarded wiretap

The ForwardingWiretap component sends each captured message to a specified IP address. The intent is to provide a way to forward MS/TP packets from a controller to another IP device, allowing the use of a packet dissection tool (for example, Wireshark) to investigate the network problem.
Prerequisites: You have added the ForwardingWiretap component to the MstpPort container in the Nav tree. You are an experienced Wireshark user.
Perform the following steps:
  1. To configure the ForwardingWiretap component, double-click it in the Nav tree.
    The ForwardingWiretap property sheet opens.
    Image
  2. Change the Address field either to the IP address of your computer or to a broadcast address (if the broadcast address of the controller matches the broadcast address of the PC/laptop)
    Your computer should now be able to capture BACnet messages from the MS/TP trunk using Wireshark. Since the system forwards these messages on a non-standard BACnet port, which no BACnet devices are using, Wireshark needs to be configured to decode the messages as BVLC (BACnet Virtual Link Control) messages. Otherwise, the messages show up as “Source Port: xxxx” and “Destination Port: yyyy,” which do not provide useful information.
    Image
  3. To configure Wireshark, right-click one of the UDP (User Datagram Protocol) packets and click decode as.

    A window opens for defining the destination port to associate with the protocol.

    Image
  4. Select the destination you specified when you set up the ForwardWiretap properties from the UDP list, locate BVLC in the port(s) as list and click OK.
    The system now parses the messages as BACnet-APDUs (Application Protocol Data Units):
    Image

    This table contains quite a few ICMP (Internet Control Message Protocol) reject messages. These messages are generated by the PC’s TCP/IP stack. They indicate that no process is prepared to handle these messages. In other words, this is the operating system’s way of letting the caller (the controller) know that there is “nobody home.”

  5. Do one of the following:
    1. Ignore the messages.
    2. Set up a BACnet filter to omit the ICMP reject messages from the capture.
    3. Set up a process to listen for these incoming messages and discard them.
    4. Set up the forwarder to send the messages to a broadcast address.
      Configure sending to the broadcast address with care as every device on the network will receive the messages sent by the forwarder.
       CAUTION: Do not forward messages to 47808 (0xBAC0) or any other UDP port that real BACnet devices may be listening on. The messages forwarded are properly formatted and could potentially command an unintended object to an unintended value. 
    Stripping out the ICMP messages leaves only the BACnet messages form the MS/TP trunk:
    Image

Related Links

  • Setting up a wiretap (Parent Topic)

    • Index | Prev | Next