We often have people ask us how to create a packet capture, or PCAP file, to use in Optigo Visual Networks. While any PCAP should give you some insight into your network, there are some best practices that vary depending on what you are trying to discover.
Capture Duration
The optimal duration depends on the intended use of the PCAP file.
To get a general system health check, perhaps after commissioning or before starting a job or for regular audits, we recommend a minimum of a one-hour capture.
Once a problem is identified, shorter captures can be used to troubleshoot. By initially looking at the longer PCAP, you should be able to identify the cause or the frequency of the problem, or the time of day during which it occurs. Use this information to capture a PCAP that is 5 to 20 minutes long, to see if your work fixed the problem and increased the network health. In some cases, it may be good to force a command/action during the capture period to ensure the fix is applied correctly (e.g. confirm reply on read-property is no longer an error).
Intended use of Optigo Visual Networks | Recommended capture length |
General system health check | 1 hour |
Troubleshooting and validating fix | 5-20 minutes |
Capture Location
Run Wireshark or our capture tool on the Building Management System, or BMS. This will ensure that you get a complete system-level view of the Building Automation System. All global broadcast messages, communication with the BMS and general network traffic will be captured.
As a secondary step, you can also perform captures on each individual MS/TP network. This will capture all MS/TP traffic between controllers and devices that may not be seen by the BMS and the higher level network. Analyzing this capture in Optigo Visual Networks will expose any problems arising from token passing. Learn how to capture MS/TP traffic.
Note that some BMS and controllers include a packet capture feature, which are much easier to use and require no additional software or hardware. Please ensure the capture file has an extension of .cap or .pcap or .pcapng. If it does not by default, append a .cap before uploading to Optigo Visual Networks.
Capture Filters
In most cases, we suggest not using any capture filters. Optigo Visual Networks also shows non-BACnet communications, so leaving it in the capture is helpful to get a comprehensive view of your network. When you upload your file to Optigo Visual Networks, you will be able to see how many BACnet packets are in the file, and what percentage of the traffic is BACnet.
If large amounts of network traffic are bloating the file or there are privacy concerns, Wireshark can be configured to capture only BACnet traffic. This will slightly lower the quality of the overall analysis because it will not be possible to identify spikes in general network traffic that are affecting the BAS system. If you would like to do this, watch this video to find out how.
Capture Activities
A capture file will only contain packets from devices that communicate during the network capture window. It is possible that some devices may exist but be dormant on the network. In order to generate a list of all devices and networks, a Global Who-Is can be triggered on the system.
If you would like to see all of your devices and networks, trigger a Global Who-Is from the BMS. Some BMS software can induce a Global Who-Is on the system. In other cases, a Global Who-Is can be triggered by resetting the BMS.
If you are using Optigo Visual Networks for a particular problem, ensure that the action or commands triggering the problem occur during the capture period. If you know exactly what is the BACnet command that triggers the error/problem, use the detailed graphs (e.g. Traffic by Source Destination Type) to visualize the impact on the traffic. Now drag and drop your PCAP file into Optigo Visual Networks and find out how your system is doing!
Comments
0 comments
Please sign in to leave a comment.