October 2009 Newsletter

CAS Newsletter October 2009



Trouble Shooting BACnet IP / Ethernet


Required tools:



 #1: You might not capture the traffic if you don’t use a hub. Read the article on hub and switches to understand why. http://www.chipkin.com/articles/hubs-vs-switches-using-wireshark-to-sniff-network-packets


#2: You can select the packets you capture to reduce log file size by defining a capture filter before you start the capture. We suggest you avoid this. If you are short of space you can select which packets you save.


#3: You can select which packets you view from the total log by defining a display filter.



#4: You can select which packets to save in the log files.



#5: You can search for particular packets.



How to Capture with Wireshark


1. Capture – Main Menu


2. Interfaces – On Capture Menu

a. You get a list of network adapters. Pick the one connected to the network of interest. Its probably not the wireless adapter. Most often it’s the adapter with the packet count increasing

b. Select the Start button or

c. Select the options button to define a capture filter. Define the filter and click start.


3. A list of packets accumulates on the screen.

4. Apply a Display Filter. More on display filters later. For now simply type bacnet into the filter field and click apply.

5. Find the packet you are interested in. Click on it to select it. A breakout of the selected packet’s data is shown below the packet list.

6. You can break out the level of detail by expanding the sections of the packet.

Think of a bacnet packet as a letter you send to a bacnet device. When you take it to the bacnet post office. The clerk says he does not understand the address. He passes it to the UDP clerk. The UDP clerk takes your letter and puts it in a bigger envelope. He addresses the envelope with a UDP address. He passes it to the IP post office clerk. The IP clerk takes your letter and puts it in a bigger envelope. He addresses the envelope with an IP address. He passes it to the Ethernet post office clerk. The Ethernet clerk takes your letter and puts it in a bigger envelope. He addresses the envelope with a hardware address and sends it to that computer. When it arrives the process is reversed until finally the contents are passed to the bacnet application.

Ethernet packets contain packets from other higher level protocols nested inside each other. You drill down to see the detail you want.

In the example below you can see the bacnet packet nested inside a UDP (User Datagram Protocol) which is nested inside an IP protocol packet which is in turn nested inside an Ethernet packet. Drilling down into the Bacnet packet you can see the concept is carried even further. The bacnet service is a write to analog input #1. That is wrapped up with some information about the device – the device number and network number is contained inside the NPDU.

7. Drill down to see the BACnet info


How to Select (Filter) What you Capture with Wireshark


Before you start a capture you can specify a capture filter. The effect of the filter is to prevent all packets being captured. Doing this can save space when you save the log and it might make it easier to find the packets you are interested in. However, there is some risk that you might filter out the packets of interest.


For example, a BACnet device might not operate correctly because it is being hammered with packets from another protocol being sent incorrectly to the BACnet device. Our advise is to capture as much as possible and then filter what is displayed.

Here are some sample filters

Capture only traffic to or from IP address


Capture only traffic to or from IP address but exclude all FieldServer RUINET messages

host and port not 1024

Capture traffic to or from a range of IP addresses:



net mask

Capture traffic from a range of IP addresses:

src net


src net mask

Capture traffic to a range of IP addresses:

dst net


dst net mask

Capture only bacnet traffic: Assumes every device is compliant and is using the standard port.

port 47808


Wireshark – How to find the packets you are looking for

Useful Hint

Its easy to sort packets by source or destination IP, Click the column headings.




You can mark, packets you find interesting. Then later you can save, display or print the marked packets.



Searching :

The problem is that you can only specify one text string and hence you can only specify one search criteria. For example in the search below, all packets that contain the string = ‘analog object (1)’ will be found irrespective of the device, ip address ..etc.

Some Useful Search Strings


objectIdentifier: analog-input object, 1

objectIdentifier: analog-output object, 11

objectIdentifier: binary-input object, 10041

objectIdentifier: binary-output object, 45


Wireshark – Display Filtering

Useful HintIt’s easy to sort packets by source or destination IP, Click the column headings.



You can use the expression builder to build selection criteria for filters.


Looking for failures:

Try this search string. Type5 are errors, Type6 are Reject messages and type 7 are abort messages.

bacapp.type == 5 || bacapp.type == 6 || bacapp.type == 7


Looking for messages which specify particular objects types:

Try these search strings. 0=AI, 1=AO, 2=AV, 3=BI, 4=BO, 5=BV, 6=Calendar Object, 7=Command Object, 8=Device Object, 9=Event Enrollment, 10=File, 11=Group, 12=Loop, 13=MI, 14=MO,17=Schedule,19=MV, 20=Trend Log

bacapp.objectType == 0


Looking for a particular Object: In this example all messages which reference AI(1) are listed.

bacapp.instance_number == 1 && bacapp.objectType == 0

Looking for messages to/from particular devices

ip.addr == Sent to/Sent From

ip.dst_host == “”

ip.src_host == “”


You can use the expression builder to build filter expressions



From the drop down list of protocols there are two specifically related to BACnet. They are shown below


Trouble Shooting BACnet MSTP


One badly behaved device on a MSTP trunk can cause a collapse in performance.


To understand why consider this one example of what can go wrong. RS485 is s shared trunk. When two devices transmit at the same time this causes a collision. In simple terms think of the messages interfering with each other and corrupting each other so neither message is recognizable. To prevent this happening and to allow for multiple master on a network, BACnet has chosen a token based system. Only devices with the token can initiate a message transaction. To keep things running smoothly, BACnet has some demanding timing requirements. For example, a device passes the token on. The receiving device has 15msec to use the token. Lets say it responds in 18msec. During that interval, the original device doesn’t see the token being used so it send the token again. As it sends it, the 2nd device uses the token (3 msec late). Now the messages from the 1st and 2nd device clash. The 2nd device thinks it has the token and starts to use it. The 1st device thinks the token got lost and starts to poll for a new master. Messages clash, causing contention and eventually both devices recover to a valid state using the protocol rules. These rules require waiting various timeout periods. All the waiting, collisions and recovery waste time and bandwidth. If this happens often (as it will because one device doesn’t meet the spec) then you can lose significant bandwidth.




Capture Traffic using USB-485 converter

Use a tool like BACspy


Use Hyperterminal

Analyze Traffic

Use a tool like BACspy online or Offline


Perform a manual analysis



Configure HyperTerminal

Select the COM port which corresponds to your USB converter

Set the Baud Rate correctly

Set the other parameters as shown


Capture to File

Use this menu to start and stop the capture



As the messages are captured you will see these non-human readable characters fill the screen.

Inspect the captured data before you leave site to see if it usable.

You need a viewer capable of displaying the hex bytes. Here is a free download and hex viewer. Open the log file.

To ensure you captured useful data look for messages that begin 55 FF. All BACnet MSTP messages begin with the same codes.

If you don’t see any then this may mean you captured at the wrong baud rate or some other setting is wrong. It is also possible that there is no BACnet communication.



You can use the CAS BACspy tool

BACspy automates this process of capture and analysis.


Power Over Ethernet

POE is a technology that provides electrical power to a Powered Device using conductors in a CAT5 cable. Power is delivered by means of a DC voltage and maximum current rating. Typical Power Sourcing Equipment devices are network switches.


Even though there is a standard (IEEE 802.3af) there are a number of factors you should watch for as this technology emerges and evolves because as usual the devil is in the details.


Check for IEEE 802.3af standard compliance on data sheets. A number of products don’t comply with the standard. “If you are merely a consumer, any IEEE 802.3af compatible device will work with any other. If your PoE devices are not IEEE 802.3af compliant, best stick with one brand, or at least with PoE devices known to be compatible with your favorite brand.”




Powered Devices (PD)

The device being powered.

Power Sourcing Equipment (PSE)

The device supplying the power

Endspan PSE

Also known as POE Switches. The switch (or other network endpoint) supplies the power.

Midspan PSE

The Power is injected onto the cable outside of the network end point. You use Midspan PSE’s when you are using a standard switch with no POE capability but you want the Ethernet cable to carry the power to the field device. You thus inject power at a ‘midpoint’


This jargon term is used to define whether power is carries on the data lines or the spare line. The PSE determines the mode. The standard requires that PD’s support both modes. The PSE may not activate both modes at the same time.

Mode A

The data lines also carry the power.

Mode B

Spare or non-data lines carry the power.

POE Power Class

A term that describes the amount of power supplied. The PSE sets the class based on how the PD signals it for power. During the start up phase, the PD draws a specific amount of current. This tells the PSE what class to operate at.

Class Power In Watts Classification Current mA
0 0.44 to 12.95 <5
1 0.44 to 3.84 10.5
2 3.84 to 6.49 18.5
3 6.49 to 12.95 28
4 Reserved 40

POE Powering Stages

A PSE must never send power to a device that does not expect it. For this reason power is not simply applied when a connection is made. Rather the PSE progresses through these powering stages.



PSE probes the device to see if it is 802.3af compliant by looking for a signature impedance of 25kOhm using a voltage of between 2.7 and 10V. If the signature is not seen then the process terminates and no power is supplied. The Signature stage restarts when cable is reconnected.



PSE supplies a voltage and the PD draws a specific current. Based on the current draw the PSE determines the power class to be supplied.



The PD starts up as the supplied voltage reaches a level sufficient for the device to operate normally.


Normal Operation or Disconnect

If you remove the cable the PSE stops supplying power. Reconnection means that the powering stages begin again with the signature stage. If the PD stops using the supplied power (draws less than 10mA for 400mSec) the PSE stops applying power returns to the signature stage.


Watch Out for

Heat Dissipation

Two Issues – hotter cables and hotter switches

Some of the power supplied will be lost as heat in the CAT5 cable. Heat degrades the insulation (at best) or causes fires at worst. Based on the 802.3af spec the TIA permits a max of 100 CAT5 POE cables to be bundled together. Thus is based on the spec of 350mA. There are devices that can supply more current and hence the heat issue becomes more pronounced.

The POE switches will draws more power and hence dissipate more heat from internal losses.



The POE standard does not specify which lines will carry the positive voltage and which will carry the negative voltage. If the PD meets the POE spec there are no issues. If it doesn’t then you could end up with a polarity reversal and damage.


Multi Mode Cat5

Some device use non-data lines in the CAT5 cable for other purposes such as voice. If such a device was connected to a PSE that doesn’t meet the POE standard then it could be supplied a voltage it doesn’t expect and this could cause damage.


Connecting non POE devices

Not an issue of the PSE meets the standard because it won’t apply power unless the field device presents the correct signature. If it doesn’t meet the spec, power could be applied continuously which means the the non POE field device could see a voltage that it wasn’t designed for and this could cause damage.


Voltage Level

Different vendors have implemented POE at different voltage levels. These PSE’s are non standard.


Cisco 48V

Intel 12V or 24V

Symbol 12V or 24V

Apple 48V

International Household Electricity Prices














South Africa




United States


Source: The International Energy Agency


Submit any related pictures to us.

2009 Chipkin Automation Systems – bacnet@chipkin.com
BACnet is a registered trademark of ASHRAE.
If you liked this post;
  • Please consider subscribing to our RSS feed