Optigo Logo to return to homepage

Digging into Wireshark display filters with Optigo

Optigo Networks Wireshark display filters new release

Share This Post

If you’ve been wanting to dive deeper into your BACnet packets, we’ve got great news: Optigo’s developers have been hard at work adding new display filters to Wireshark. These field dissectors expose more detailed information in BACnet packets, allowing you to get a deeper understanding of your systems.

In Wireshark, field dissectors let you expose a packet’s information in a human readable way. There’s a lot of data in each BACnet packet, and display filters let you translate that data and gather detailed information on your network.

Wireshark already has many display filters, but we’d noticed a few key ways we could contribute more. Our developers added field dissectors for the object name, to state, from state, notification type, error code, error class, event type, and present value.

Present value was a big addition, because it contains so much important information. It’s one of the most commonly used properties, conveying messages, updates, and instructions. For example, for an object in a thermostat, the present value may be the temperature reading; for an object in an air valve, the present value may be true or false, denoting that the valve is opened or closed. Some might even use percentages to say if it’s fully opened or closed, or somewhere in between. The present value only makes sense when it is described with the device and object type. In Visual BACnet, we would use the present value in the Change of Value (COV) checks to show how sensitive COVs are set.

The information exposed with these field dissectors will drastically improve filtering in Wireshark. Let’s say you have one file with a million packets in it, and of those million, there’s 100 packets that specifically sends an object name. With bacapp.object_name, you can filter for just those 100 packets. You can get even more exact if you need to: filter bacapp.present_value.uint == 3, and it will show you all the packets that have bacapp.present_value.uint equal to 3 — and only those packets.

All these new display filters will help you better understand your BACnet networks. You won’t have access to the dissectors yet through Wireshark until a new release is available, but you can stay tuned on the Wireshark mailing lists. Visual BACnet, our advanced visualization tool for building automation system service providers, is already taking advantage these new changes to give you an even more powerful understanding of your BACnet networks. We’ll be adding in more to our diagnostic checks over the next few months too!

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore