Wireshark 2.0 brought some new features, including extcap. Extcap allows an external application to capture packets and move them into Wireshark via a pipe. It is the perfect feature for serial packets, such as BACnet MS/TP on RS-485, which don’t have a network interface.

How does it work? After installing version Wireshark 2.0 or later, find the Extcap folder on your computer. The folder is listed under Wireshark Help About Folders menu option.

help-about-wireshark-folders

Copy mstpcap.exe into the Extcap folder (create the folder if it doesn’t exist).

program-files_wireshark_extcap

Run Wireshark, and notice the new BACnet MS/TP Interfaces associated with each serial port.

wireshark-interface-list

Adjust the MS/TP Baud Rate for the particular interface.

wireshark-mstp-interface-settings

Start or Stop captures using the Capture Start or Capture Stop options after selecting the Interface.

bacnet_ms_tp_on_com6_wireshark_start_capture