10 common wireshark filters, Common wireshark filters – Obvius BACnet User Manual

BACnet Server for AcquiSuite

Page 50 of 52

CVS:bacnet/Documentation/BACnet_Users_Guide.doc

10 Common Wireshark Filters

WireShark is a freely-available Ethernet packet capture and network monitoring tool. It is frequently used

for debugging BACnet/IP networks. It is available from <

https://www.wireshark.org

>.

The following table lists several WireShark filter expressions which are useful for BACnet debugging.

WireShark Filter

What It Matches

udp.port == 47808

All BACnet packets on standard port

udp.port == 47808 or udp.port == 47809

BACnet packets on port 47808 or 47809

udp.port == 47808 and not ip.addr == 1.2.3.4

Exclude one "noisy" network node at

1.2.3.4

udp.port == 47808 and not

bacapp.confirmed_service

Exclude Confirmed Services (such as

ReadProperty and

WriteProperty). Useful for debugging

device and object discovery.

udp.port == 47808 and not

(bacapp.confirmed_service == 12 or

bacapp.confirmed_service == 14)

Exclude ReadProperty and

ReadPropertyMultiple. Useful for

debugging WriteProperty.

bacapp.confirmed_service == 15 and ip.addr

== 5.6.7.8

BACnet WriteProperty packets to/from

IP address 5.6.7.8

bacapp.type > 4

BACnet Errors (type=5), Rejects

(type=6) or Aborts (type=7)

bacapp.unconfirmed_service

BACnet Unconfirmed Service requests

(Who-Is, I-Am, Who-Has, I-Have, etc.)

bacapp.unconfirmed_service == 8 or

bacapp.unconfirmed_service == 0

BACnet Who-Is or I-Am packets (used

for device discovery)

bacapp.unconfirmed_service == 7 or

BACnet Who-Has or I-Have packets