1. Launch Wireshark. If you have already captured a pcap file, you can open it now. If not, start a capture in Wireshark.
2. In the Filter bar in the top left side, filter “bacnet || bacapp || bvlc”. This will filter for only BACnet packets. Eliminating non-BACnet frames will reduce the size of the file and avoid holding sensitive information.
3. Export the specified packets (all those displayed) as .pcap files by going to File, then Export Specified Packets.
To further srub the PCAP file of potential sensitive information use WireEdit. WireEdit is free to download and use. Click here to download it.
4. This is a very important step, so don’t forget it! Before you scrub your pcaps, you will need to keep track of the real IPs and anonymized ones. Otherwise, you won’t know which addresses refer to which device. If you run into problems later on, you’ll be flying blind. With the filtered file still open in Wireshark, navigate to Statistics → Endpoints → Ethernet, select Copy in the bottom left hand corner, and paste into a secure document. Do the same for IPv4, navigating to Statistics → Endpoints → IPv4, and copy-pasting the data into a document. Save this for your future reference, or use it to map out how you would like to replace numbers in your IP and MAC addresses.
5. Next, find the BACnet-only .pcap file you saved, and open it in WireEdit. You will be editing the source and destination addresses to scrub these files. Click Edit from the top menu bar, and select Replace.
6. In Find What, enter the portion of the IP addresses that you would like to replace. (For example, 128.36.) In Replace With, enter the numbers that you would like to substitute in. (For example, 10.36.) Select Replace All. In this example, an IP address that read 128.36.10.21 would become 10.36.10.21.
7. In Find What, enter the portion of the MAC addresses that you would like to replace. (For example, D0:D9:4F:) In Replace With, enter the numbers that you would like to substitute in. (For example, A1:B2:C3:) Select Replace All. In this example, a MAC address that read D0:D9:4F:55:66:77 would become A1:B2:C3:55:66:77. It doesn’t matter what numbers you substitute in, as long as it doesn’t identify your network and devices and you keep track of the original addresses.
8. Finally, you’ll want to fix Cyclic Redundancy Check (CRC) errors, which were created from modifying the packets. Click Edit from the top menu bar and select → Fix Errors.
9. Save.
Comments
0 comments
Please sign in to leave a comment.