You will need:
1. A USB to RS-485 converter.
2. The mstpcap.exe download from here (from Steve Karg’s BACnet tools version 0.8.6)
See this page for an integration with Wireshark.
3. A Windows computer.
To capture MS/TP packets:
1. Connect the USB converter to the MS/TP network. You can connect the converter to any point in your MS/TP chain, as long as it is on the MS/TP side of the router. In the below images, the USB converter is connected to the network via the bright orange cable.
2. Connect the USB converter to your computer, as well.
3. Next, you will want to identify the COM port that the USB converter is connected to. On your computer, open Device Manager. Expand the Ports section. The COM port (e.g. COM4) should be listed there.
4. Next, find where on your computer you downloaded Steve Karg’s BACnet Tools folder, containing the mstpcap.exe. It will likely be in Downloads. Copy the “path” of your download’s location (e.g. C:\Users\<Insert Username>\Downloads\<Insert file name>).
5. On your computer, open Command Prompt. Next to C:\Users\<Insert Username>, and type “cd”. This refers to “change directory,” and it lets you choose where the MS/TP pcap will download. Add a space, and paste the “path” to the location of your download from Steve Karg. Hit Enter.
6. Next, in the Command Prompt, execute the mstpcap.exe using the COM port identified in Step 3 and the appropriate baud rate. (There are a few common baud rates: 19200, 38400, and 76800.) This command might look like “mstpcap.exe COM4 76800” for example. Hit Enter. If you see the screen counting up with the number of packets, that’s good. If you see it counting up with the number of invalid frames, either the baud rate is incorrect or there is something wrong with the wiring.
7. To stop the capture, type CTRL+C and quit Command Prompt.
8. You will see something like the below image when you have captured your packets. In this case, we ended up with 8,200 packets and five invalid frames. Note that if you only have invalid frames, it means that something went wrong in the capture.
9. Your MS/TP traffic will now be in readable .pcap format. You’ll find it in the folder that you designated before, in the Command Prompt change directory. Now you can load it into Wireshark or Visual BACnet to start digging through packets!
For more detail, Steve Karg has done great work on Wireshark and MS/TP captures, and developed some useful capture tools.
Comments
0 comments
Please sign in to leave a comment.