There are typically two reasons why you want to create a new PCAP with BACnet only packet:
- Security - non-BACnet packets may include Personally Identifiable Information or other sensitive information. Stripping out these non-BACnet packets before uploading to Visual BACnet will ensure BACnet information (typically not as sensitive) is uploaded.
- Reducing file size - Often the BACnet packets is only small portion of an overall network traffic (<20%). Stripping out the non-BACnet packets will reduce the file size and therefore speed up upload to Visual BACnet and speed up analysis.
To create a new PCAP file with BACnet only packets, you may use tshark (command-line version of Wireshark) or to use Wireshark.
Option 1 - using Tshark (faster)
Run the following command in Windows PowerShell
& 'C:\Program Files\Wireshark\tshark.exe' -r .\big_file.pcapng -Y "bacnet or bacapp" -w big_file_BACnet_only.pcapng
- Replace the filename (big_file.pcapng and big_file_BACnet_only.pcapng) as appropriate
- Your tshark application path may be different (e.g. C:\Program Files (x86)\Wireshark\tshark.exe)
- The & at the beginning of the line is needed
- -r is the key leading the input file (read file)
- -Y is the key leading the filter. In this case, it filters for BACnet network and BACnet application packets
- -w is the key leading the output file (write file)
Option 2 - using Wireshark
Following the following steps:
- Open original file (with non-BACnet packets) in Wireshark
- Enter "bacnet or bacapp" into Display Filter bar (2), and apply (hit Enter or click the right blue arrow)
- Note that you can see how many packets remain (3)
- Go to File --> Export Specified Packets...
- Ensure "Displayed" in Packet Range is selected. (5)
- Save new file