BACnet MS/TP Wireshark Live Capture

Wireshark 2.0 brought some new features, including extcap.  Extcap allows an external application to capture packets and move them into Wireshark via a pipe.  It is the perfect feature for serial packets, such as BACnet MS/TP on RS-485, which don’t have a network interface.

How does it work?  After installing version Wireshark 2.0 or later, find the Extcap folder on your computer.  The folder is listed under Wireshark Help About Folders menu option.

help-about-wireshark-folders

Copy mstpcap.exe into the Extcap folder (create the folder if it doesn’t exist).

program-files_wireshark_extcap

Run Wireshark, and notice the new BACnet MS/TP Interfaces associated with each serial port.

wireshark-interface-list

Adjust the MS/TP Baud Rate for the particular interface.

wireshark-mstp-interface-settings

Start or Stop captures using the Capture Start or Capture Stop options after selecting the Interface.

bacnet_ms_tp_on_com6_wireshark_start_capture

About skarg

I write software for a living. So, I dedicated some web space for some stuff that I have worked on. I mostly write embedded C for PC based controllers, but I have dabbled in a few other areas as well.
This entry was posted in BACnet. Bookmark the permalink.

8 Responses to BACnet MS/TP Wireshark Live Capture

  1. Ed says:

    Hi Steve,

    I’m using the mstpcap.exe file as you outline in this post, but I seem to be having an issue where Wireshark stops capturing around 1600 total packets.

    Also, I get the following error message when I stop a capture:

    http://i.imgur.com/c1o9brg.png

    I’m using Wireshark 2.2.1, 64-bit on Win7, SP1 and capturing packets at 76.8k. Is there a setting that I should adjust for this?

    Thanks!

  2. skarg says:

    Indeed, Wireshark 2.1.x seems to have introduced a console window inhibitor that doesn’t tolerate the printed characters emitted to stdout. Please use Wireshark 2.0.x for now until I release an updated mstpcap. The fix, completed and tested at BACnet North American Plugfest 2016, is currently only in Subversion.

  3. Ed says:

    Using Wireshark 2.0.7 with mstpcap works well. Thanks for putting this together, Steve. Do you plan on doing a similar walkthrough for capturing MS/TP traffic in Linux by chance?

  4. Natsuko Takahashi says:

    I used 2.0.7 with mstpcap as well but I can’t seem to find the interface for changing the baudrate. It seem to be fixed to 38400 and that’s all I can use to capture. Any idea why I’m not seeing this interface? Maybe I missed installing some features during installation process?

  5. Natsuko Takahashi says:

    P.S: I forgot to say the most important thing, thank you very much for this forum it’s very helpful

  6. skarg says:

    In the GTK version of Wireshark, double click on the interface name to pop up the baud rate dialog. In the QT version of Wireshark, there is a tiny gear icon next to the interface name that pops up the baud rate dialog.

  7. Julio Cortes says:

    Steve,

    It works great with WireShark version 2.0.7. Thank you Sir

  8. skarg says:

    The Linux version of mstpcap with extcap functionality is completed, but currently resides only in Subversion. You can download a tarball snapshot here:
    https://sourceforge.net/p/bacnet/code/HEAD/tarball?path=/trunk/bacnet-stack

Leave a Reply

Your email address will not be published. Required fields are marked *