Troubleshooting BACnet in Wireshark

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello everyone my name is ping with optical networks thank you very much for watching this video we had a wonderful webinar today with Steve card on troubleshooting back net in Wireshark instead of broadcasting the entire one hour webinar we are creating a small high lite version 10-15 minute version of video capturing everything that we did and a few the major questions that were asked so enjoy whatever wonder when joining the webinar thank you very much anyone who rested enjoy this video and don't test it to be shot or any questions a quick note about our two networks we're a company based in that career Canada and we develop a specialized networking products for disrupt rolling industry what a product we develop visual back network is very relevant to troubleshooting magnet using packet captures we had the luxury and the honor to have Steve Carr joining us on this webinar Steve Carr is a long-term volunteer and contribute to bacala international criminal working lost offer and the one of the original author of the back net dissecting stack for Wireshark so it was really wonderful to have Steve and thank you again to Steve for his great help we are going to look at how to capture packet and bacnet packets isolating back neck traffic and so on and I'll cover a few of the questions that were asked at the webinar let's jump right into it to capture Wireshark one of the question we asked to Steve is where should we run Wireshark the recommendations run on the DMS the workstation on a controller or two hub if you have access that or even and if you don't if you do have a 90% people helping you use the monitoring port or spanning port or sometimes also called an airport on a managed switch which allows to capture every packet going through that switch this will give you full visibility of all the traffic that's happening Steve also recommended to know if you have an idea where the problem may arise run the capture on that device auto controller because you're capable of doing it or put it up in between if it's enemies tp-link there are ways there are tools out there that allow us to tap into the MSTP wires and connect right into it and capture the MSTP frames Wireshark does allow that especially version 2.0 and above right so when we ran Wireshark this is really running but if you were to capture the frames you just go to start select the interface you want but a quick trick if you want to capture just Wireshark survive refer me back net frames you can put any filter that that specifies a port range or report that back net uses so traditionally or most of time back net will use port 4-7 808 a bystander allows it to go all the way to four seven eight to three if you want to capture it all you can use this little filter here UTP port range for some AO 8 - 4 72 3 in some cases you will use non-standard bug reports and this is where you can adjust it to capture those packets alright so once it captured with Wireshark and you create a pcap file a packet capture file open it and this is where you'll do all this filtering and manipulation to help you understand where the problems are in this case this Wireshark - partly this pcap file was provided to Steve a long time ago from a user dead claim he sees some some anomalies on networks things maybe do some flooding there's some delays on some problems there and for everyone's in understanding we scrub this file to remove any sensitive information design on ilana mised so the IP addresses and the MAC addresses and actually from the original file so if you recommend first thing to do is to take a look at how many back net frames you may have so what a way to do it is to use a filter magnet this will capture every back net every frame with the magnet section back app in case there's no back in that section but only effective application stack to the fan to the frame and Steve also recommend to look at BC LLC for the IP layer encapsulation so once you typed in all three of them with the double vertical bars on call pipe hit enter this will filter only now leaving you only the BACnet frames if you look at the bottom of your screen you'll see there's about 9700 to magnet packets so again the user came to Steve and suspect that there may be some flooding here so let's take a look at how many of these frames are broadcast rates so an easy way to do that is to add you can help are they bracket around this and add only that you have a broadcast range so a broadcast frame will always have an address in Ethernet ff6 F fights we have them missing a double equal this will give you all the broadcasts back there frames so you see a large majority of them are broadcast back neck things at 9600 compared to 9700 we're not tricking and Wireshark you can pull down go to statistics pull down the conversation and this will show you you can select either you want to look at ethernet layer or IP layer one important thing is to click this limit display filter it will pick an account the filter that you just used in Wireshark then can sort and this will give you a very quick look at what are the most chatty pairs you can see here because we filtered only broadcast frames address B will always end with dot two five five which means broadcast and this has an evidence go to Ethernet again you see the second address of the destination address will always be a broadcast broadcast own eath measuring so again this just gives you an idea you know which devices chat is so in this particular one is two two three three so and so on is your chattiest device if you go to ipv4 this can give you the IP version of it one eighty one six eight two four two one one eight all right let's move on let's us let's think that one of the most impactful framing BACnet is your who is who is our essential to back net systems but their Rockets they go everywhere and can create an incredible amount of flooded traffic really and update your networking system causing delays performance issues and so on so let's look at only who is frames so Steve and it came many years ago create an amazing stack for Wireshark that is now what we're using so if you want to just look at who in strings who is an unconfirmed service so you can type it in or show you another way to do it you can go here to expressions and build it out using a GUI a lot easier to do so back net app application pull it down you'll show you every available object that you can use as filter so in this case we're going to look for uncover service and chooser who is which by the way you can see it's validate if you go to the back that standard you can see that uncomfortable service 8 is not - who is it confirm and hit enter again to provide a filter and now you have only two who is frames again let's take a look at it $6,100 $6,100 all-cash frames in this case good trick if you expect to use this filter a lot that a quick way to do it is to add add it to a shortcut so you put the little plus button right next to it give it a name and verify the filter you want it enter and now you have it for future use all right um let's say we took a look let's say we can now again use another built-in Wireshark function go to endpoints just another way to take a look at it these are endpoints of both start or destinations on sort by number of packet so you can see that the chattiest device is sending elbow I apologize you go at the filter the charges device at the device sending out the most who is is this device 191 62 for 2.9 let's take a look at that if you wanted to just filter out that one you can add to this expression so double n percent means to add to the expression a frame that matches both filter expressions and in this case we're going to do IP address 1 I 2 once I say dot 2 42.9 oops again w : modulus enter now you have all the things sent to L Phi 1 I too want to say two or two that are is frames if you want to here you can expand a frame take a look at what they've of things asking for and so on right and we talked about how who is frames are important and essential but there's also a special type of who is frames are called who is global global who is frames and they've explained that global constraints are a very common to discover what is connected to the magnet system but they can have a very negative effect if used a lot on the system global who is will cause every device to respond with an IM which creates an incredible amount of traffic and again can create performance issues delays unwanted behaviors so if we wanted to look with just who is a global who is friends here's a little trick now Google is frames will typically show up in two different types again thank you to one of the attendees for pointing it out one type would be frames that have no limit set again thank you to Steven and the team that created stack this actually very easy to do we can do back app dot who is you see right here there's two different features inspiring expression skin genius so in this case it doesn't matter which one you use we want a frame that is who is that's the first portion of it but has no high limit so you could put an exclamation mark in front of the expression it means no not universe again if you apply this one and you see there's four frames here with a upper limit that doesn't exist which means these are global who is this again thank you to Jeff pointing out another type of who is global who is frames are a we're the lower limit is set to zero and the upper limit is set to 4.1 million I won't show in this example but you could modify this expression to look for those type of frames also alright let's continue a very popular way of exchanging messages and backing it is sending a request and we're all of our acknowledgments and one very difficult thing to to diagnose is the race between devices if the request goes out and acknowledgement has a significant delay can have a very bad behavior to your back net system so in Wireshark we wanted to look for these these communications at these local confirm request services you can again use expression builder let's just do that this time into expression builder back oops back net back up the our sir nope not this one confirmed services and we're not looking forward in particular which they look for all of them right now and again apply this to enter into the bar and then apply it again make sure it takes and this will show you all the confirmed services both the request and acknowledgments oh oh permit so just like that without the zero and then here we go a little trick here if you want it to and I'll show you why you want to add the in the folk ID which is an essential part to BACnet frames you can click on the field in hope I do right click on it the apply is a colon and just a funny here we're going to add one more we're going to add the device ID to be more exact this is the instance ID instance number and here so now we expanded the single line view including the book ID and instance number the reason why I did that is just show you a little quick trick if you want it to sometimes you want to export these files to say Excel and do for the manipulation these things like sorting and unification or run some rules so you can export to CSV file and just the displayed packets and make sure that you get effect and then just export to file now you can go to excel for example or any other spreadsheet program and we can manipulate these to run if statements I can sort them out whatever you want and very very powerful when you're trying to diagnose some very complex issues one quick trick again if you want to find some type of filter instead of what I did there so you can want to filter just confirmed requests you click on the field that makes it confirm requests right click on that you can apply as a filter now you only look in these type of requests all right um they won't want to look at communication chewing from a specific device Monica can we pause it okay check Thank You Jamie yeah I hear you your diet used to see me with him no matter nope should I cut back on there or what do you think um you should show me back at the end okay I mean like no the way it's recorded does it have me honest no oh yeah I don't actually know if I don't think the recording even records your webcam had been recorded at the video I don't think it did when we did the roundtable okay all right yeah I'm just gonna mute myself okay so so keep going oh good okay so we just looked at confirm requests and acknowledgments actually any type of affirm services again can you mix and match these different filters if you want to look at communication to and from a particular device knowing the IP address so he can address and add that to the filter line by doing an end and and then for example IP dot address and so on and so on let's move on um what are the common thing in back man you want to look at communications say to and from a particular device with a device ID and back it will work so much with these device IDs you want to look for something or just reserved device ID here's how you do it so a device ID is first of all a device which means an object type that is device and then followed by the device ID so whether you use expression builder in this case just because of a little bit easier so we're way way back up again that we're going to look for backing back up object type so right here and we're looking for device which is actually number eight again if you look at the standard a object type eight is mapped to device so I'm going to use that and then go ahead okay adds that so now if you were to fight as you find any frame that refers to a device you can magic here you see down here object identifier to type device now we're going to add the device ID so I'm going to and back app oops instance number and again you can do this in the expression builder and just for sake here we're going to use device instance number one here all the communication to and from or that that refers to device ID one and it can filter that even further so if you want to look at just confirmed services so I'm going build on top of it or any projects back up from services hit enter and we see in this particular capture there's only two frames one there and one back from one another 109 into two one referring to device ID number one show you one little trick in wire sure to continue if you say are doing a lot of comments a lot of like a lot of [Music] investigation sometimes a good idea to add some comments so you know hello please take a look at this one and this can be saved into the pickup file so let's remove this expression here add another one just for the heck of it I don't know what is this and now the interesting thing is that the frame itself doesn't doesn't the color doesn't change so I needs a way to look at the comments they've added throughout the balance go to analyze expert information this will show you the package through comments and so for example 13 280 if you want to jump to it another trick go go go to packet or control G 1 3 2 8 0 I think it was and here it is jump to it this packet with a comment let's rotate them okay if you want to keep comments you just save it on to pick up our a new file and you can keep that with you or again remember if you create a certain filter you can save just the filtered frames sometimes you want to pass that to to a vendor or to appear and this can be very very useful just narrow down why you think there's a problem other than that let me cover a couple of questions that were asked during the webinar so one of the questions I was asked is what is the common cause for over broadcast by bacnet device Steve provided some really good insight one could be this program Ultima spraga me for example if a co b threshold set too low and they caused a device to send way too many uncover or confirm sylvia burning Michael from Silvie or device is just badly designed but very often is a programming issue second question was what's a primary reason for malformed packets in Ethernet they should be less common but typically a malformed packet indicates a physical problem with the connection of the devices a very common identity piece of the rs45 wiring has not done properly you can have some noise on the wire and caused malformed packets packets with what we call FCS errors the checksum error which therefore means a packet needs to be thrown away it's no good and last question I'll cover right here in this little video it's a great question is what's the legal ramification of capturing packets on a customer system is do we need to be concerned because Wireshark can capture everything not just back Nick it's a great question and there's no hard answer but yes you should be concerned with it you have to be careful if you're going to capture Wireshark and take that information out we recommend you check of your customer or your user or your peers whether or not your kids do that typically easy way to get around any concerns to capture only back net packets magnet packets typically do will not include sensitive information such as credit card information or authentication data but even badly information you have to be careful so for example with an IP address for DBM D gets out it can cause some serious problems if a if someone want to cause harm so run Wireshark of care but it is a very very powerful tool to help you diagnose understand what's happening in the communication layer of your vac net system and sometimes help you point to issues miss programming vendor incompatible communications things like that very very powerful tool free tool and again thank you very much Stevens and his team there to create this amazing stack to allow Wireshark to weed back net frames and help us dissect it last but not least just a quick note we are running two more webinars over the next couple weeks one a very interesting one on cybersecurity of smart buildings call I can hack a building stop me where we'll be joined by Fred Gordy a cyber security expert with intelligent buildings it is run on September 15th to sign up for this incredible webinar please go to optical net under webinars the next webinar covering bacnet diagnostics and troubleshooting check out troubleshooting bacnet in visual bacnet a product that the optical provides and we'll have a great session to show how visual bacnet our tool can help with some of these diagnostics some of these troubleshooting and investigation tips that we just cover today and be a lot quicker a lot easy to use and provide you an insight without how to endure all these filters if you're interested please check out the visual back Netcom we're offering a two week free trial of the tools so check it out try it out run wireshark capture the file load the individual back there and see what type of information gives you again thank you very much Steve card for joining us for this incredible insight I hope this is helpful and enjoy your day thank you right
Info
Channel: Optigo Networks
Views: 6,481
Rating: undefined out of 5
Keywords: Optigo, Optigo Networks, BACnet, Visual BACnet, Wireshark, Smart buildings, Building automation, Internet of Things, IoT
Id: 8asoKlP7iFA
Channel Id: undefined
Length: 31min 10sec (1870 seconds)
Published: Thu Nov 23 2017
Related Videos
Wireshark Tutorial for Beginners
Anson Alexander
1.6M
SF20V - 01 BACNet and Wireshark for Beginners (Werner Fischer)
SharkFest Wireshark Developer and User Conference
1.2K
How I Use Wireshark
Viatto
65K
BACnet - Introduction to BACnet with Details of BACnet Communication Protocols, Objects & Services
Engineering & Automation
13K
Decoding Packets with Wireshark
Mike Pennacchi
135K
BACnet Browser Demo Tutorial
ConnectExInc
14K
Top 10 Wireshark Filters // Filtering with Wireshark
Chris Greer
513K
How to: Use Wireshark
Pentests and Tech
15K
TCP Tips and Tricks - What Makes Applications Slow? - Wireshark TCP/IP Analysis
Chris Greer
164K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.