Repository files navigation

(:trumpet:Note: This project has been archived followingthe release of Wireshark 4.0, which includes native support for Secure Connect. 🎺)

With this plugin, you can view and analyzeBACnet Secure Connect (BACnet/SC) traffic from withinWireshark. This plugin has been tested with node-to-hub communication and node-to-node (direct connect) communication.

Ensure that you have a recent (>= 3.0.0) version of Wireshark installed. Then, add the includedbsc.lua file to your WiresharkPlugin Directory. That's it.

1. OpenHelp -> About Wireshark on Windows and Linux orWireshark -> About Wireshark on MacOS.

2. Go to theFolders tab.

3. Click on the link in the row labeledPersonal Lua Plugins. If the folder doesn't already exist, Wireshark will offer to create it for you.

4. A folder will open. This is where you should put the includedbsc.lua file.

BACnet/SC is different than other BACnet data links because it runs on top of another existing transport layer called WebSockets. WebSockets run on top of HTTP, HTTP runs on top of TLS, and TLS runs on top of TCP (wowsers).

If your traffic is on TCP port 80 or 443, you can skip this part.

1. OpenAnalyze -> Decode As and click the+ icon to add a new row to the table.

2. If your traffic is TLS encrypted, setField toTLS Port. Otherwise, setField toTCP port.

3. SetValue to the TCP port number you are using, andCurrent toHTTP. If you are using port 47808, it should look like this:

   

If your traffic is in plain text, you can skip this part.

BACnet/SC traffic is encrypted over the wire, which is good because no one else on the network can read it or tamper with it. It's also frustrating if you want to troubleshoot a device.

Fortunately, Wireshark has support fordecrypting TLS traffic. Doing this requires having access to one of the nodes' private keys OR having access to to a key log file. Getting access to either of these things is usually application and device specific.

If you're a software developer looking to add support for key log files to your application, here are a few links that might get you started:

• The originalSSLKEYLOGFILE from NSS
• AnAgent for Java programs
• The relevantfunction call for OpenSSL
• The relevantproperty in recent versions of Python

1. OpenEdit -> Preferences on Windows and Linux orWireshark -> Preferences on MacOS.

2. Expand the tree item labeledProtocols and click onTLS.

   

   1. If you have a private key from a node, register it by clickingEdit button and adding it to theRSA keys list.
   2. If you have a key log file, clickBrowse to set the(Pre)-Master-Secret log filename.

3. ClickOK to save your changes.

Once the plugin is installed and TLS decryption is working, you should be able to explore and analyze BACnet APDUs and NPDUs like normal.

Additionally, you will be able to view fully dissected BACnet/SC headers and payloads.

This plugin supports dissecting the following BACnet/SC message types:

• BVLC-Result
• Encapsulated-NPDU
• Address-Resolution
• Address-Resolution-ACK
• Advertisement
• Advertisement-Solicitation
• Connect-Request
• Connect-Accept
• Disconnect-Request
• Disconnect-Accept
• Heartbeat-Request
• Heartbeat-ACK

Additionally, limited support is provided for working with Proprietary-Message messages.

With this plugin, you can filter messages based on over forty different fields. Here are some examples:

Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.

Getting BACnet/SC support into Wireshark is my ultimate goal.

Rather than developing abuilt-in dissector right away, I thought it might be nice to build some consensus around what sort of information needs to be surfaced from BACnet/SC messages and what the best way to present it is.

LikeWireshark, this software is licensed under the GPL