We often have people ask us how to create a packet capture, or pcap file, to use in Visual BACnet. While any pcap should give you some insight into your network, there are some best practices that vary depending on what you are trying to discover.
Capture duration
The optimal duration depends on the intended use of the pcap file.
To get a general system health check, perhaps after commissioning or before starting a job or for regular audits, we recommend a minimum of a one-hour capture.
Once a problem is identified, shorter captures can be used to troubleshoot. By initially looking at the longer pcap, you should be able to identify the cause or the frequency of the problem, or the time of day during which it occurs. Use this information to capture a pcap that is five to 20 minutes long, to see if your work fixed the problem and increased the network health. In some cases, it may be good to force a command/action during the capture period to ensure the fix is applied correctly (e.g. confirm reply on read-property is no longer an error).
| Intended use of Visual BACnet | Recommended capture length |
| General system health check | 1 hour |
| Troubleshooting and validating fix | 5-20 minutes |
Capture location
Run Wireshark on the Building Management System, or BMS. This will ensure that you get a complete system-level view of the Building Automation System. All global broadcast messages, communication with the BMS and general network traffic will be captured.
As a secondary step, you can also perform captures on each individual MS/TP network. This will capture all MSTP traffic between controllers and devices that may not be seen by the BMS and higher level network. Analyzing this capture in Visual BACnet will expose any problems arising from token passing. Learn how to capture MS/TP traffic.
Note that some BMS and controllers include a packet capture feature, which are much easier to use and require no additional software or hardware. Please ensure the capture file has an extension of .cap or .pcap or .pcapng. If it does not by default, append a .cap before uploading to Visual BACnet.
Capture Filters
In most cases, we suggest not using any capture filters. Visual BACnet also shows non-BACnet communications, so leaving it in the capture is helpful to get a comprehensive view of your network. When you upload your file to Visual BACnet, you will be able to see how many BACnet packets are in the file, and what percentage of the traffic is BACnet.
If large amounts of network traffic are bloating the file or there are privacy concerns, Wireshark can be configured to capture only BACnet traffic. This will slightly lower the quality of the overall analysis because it will not be possible to identify spikes in general network traffic that are affecting the BAS system. If you would like to do this, watch this video to find out how.
Capture Activities
A capture file will only contain packets from devices that communicate during the network capture window. It is possible that some devices may exist but be dormant on the network. In order to generate a list of all devices and networks, a Global Who-Is can be triggered on the system.
If you would like to see all of your devices and networks, trigger a Global Who-Is from the BMS. Some BMS software can induce a Global Who-Is on the system. In other cases, a Global Who-Is can be triggered by resetting the BMS.
If you are using Visual BACnet for a particular problem, ensure that the action or commands triggering the problem occur during the capture period. If you know exactly what is the BACnet command that triggers the error/problem, use the detailed graphs (e.g. Traffic by Source Destination Type) to visualize the impact on the traffic. Now drag and drop your PCAP file into Visual BACnet and find out how your system is doing!
