Optigo Logo to return to homepage

Packet Capture Best Practices for OptigoVN

Photograph of a vintage film camera on a teal background. Image: Alex Andrews/Pexels
We often have people ask us how to create a packet capture, or PCAP file, to use in OptigoVN. Here are some best practices to help guide you!

Optigo Visual Networks (OptigoVN) can provide deep insights into not only the overall health of your OT network but also the health of your BACnet devices themselves. Getting these insights starts with a really good packet capture (PCAP) file.

While any PCAP will give you some insight into your network, there are some techniques to consider depending on what you’re trying to discover. Here’s our guide to some best practices when making PCAP files to ensure you’ve got the best snapshot for OptigoVN to work with.

Packet Capture Duration

The optimal duration – the amount of data packets you capture over time – depends on the type of network you’re analyzing and the nature of the problem you’re trying to fix.

If you’re beginning a diagnostic session after commissioning, before starting a job, or conducting an audit, you’ll want to start with a comprehensive network check. To get a general system health check of a BACnet IP or BACnet/Ethernet network, we recommend a minimum of a one-hour capture

We also recommend initiating a global device discovery (who-is) during the capture, which forces all of the devices in the network to communicate. Doing so increases the likelihood of identifying problems.

For MS/TP networks, we recommend a capture of at least fifteen minutes. This allows enough time for multiple token passing cycles on the network and will provide data to identify most problems. 

While these best practices are generally sufficient to help diagnose and resolve problems, it’s not uncommon to have issues that occur outside of normal working hours, making them difficult to troubleshoot without a technician on site. In all cases, we highly recommend using our plug-and-play, Optigo Networks Hardware Capture Tool for all BACnet MS/TP packet capture activities, or installing our free Optigo Networks Software Capture Tool (available as a Windows or Linux application) for BACnet IP or BACnet Ethernet captures. 

Both tools allow you to quickly configure your PCAP to upload directly to OptigoVN for diagnostics, as well as configure your PCAP sessions to our recommended lengths. You can also schedule packet capture sessions to occur whenever you like, to ensure you have up-to-date snapshots of your network state. This way, network changes are quickly identified and notifications can alert you to any issues. 

A screenshot of the Optigo Networks Capture tool capture scheduling UI.
With the Optigo Networks Capture Tools, scheduling multiple captures with different frequencies and duration is easy.

Capture Location

The most central location within your system is the ideal location to conduct your packet captures. For that, we recommend you use the Optigo Networks Hardware Capture Tool or install and configure the Optigo Software Capture Tool (or Wireshark ) from your Building Management System (BMS). This will ensure that you get a complete system-level view of your entire OT network. All global broadcast messages, communication with the BMS, and general network traffic will be captured.

As a secondary step, we recommend you also perform captures on each MS/TP network. This will capture all MS/TP token-passing traffic between controllers and devices that will not be seen by the BMS and higher-level network. Analyzing this capture with a Site Scope in OptigoVN will expose any problems arising from token passing.

Note that some field devices may have packet capture capabilities, which is another option when capturing network packets. Please ensure the capture file has an extension of .cap, .pcap, or .pcapng. If it does not by default, append a .cap before uploading to OptigoVN.

Capture Activities

A capture file will only contain packets from devices that communicate during the network capture window (hence the longer duration suggestion). That said, some devices may exist on the network but fail to communicate regularly. If you would like to see all of your devices and networks, trigger a global discovery (Global Who-Is) from the BMS during capture. Some BMS software can induce a Global Who-Is on the system. In other cases, a Global Who-Is can be triggered by resetting the BMS.

If you are using OptigoVN for a particular problem, make sure that the action or commands triggering the problem occur during the capture period (be sure you know how to duplicate the error before you start your capture if needed). 

Capture Filters

Both the Optigo Networks Hardware and Software Capture Tools will filter all non-BACnet data captured within a session, and we highly recommend you use these solutions over Wireshark to create your PCAP files. 

However, if you’re using Wireshark, and you find that large amounts of network traffic are creating unnecessarily long PCAP files, causing long upload times, or there are privacy concerns around sensitive data being uploaded to the cloud, Wireshark can be configured to filter and export only BACnet traffic. 

We created this video to show you how.

Recap

  • A one-hour capture time is recommended for BACnet IP and BACnet/Ethernet networks, and 15 minutes is sufficient for MS/TP
  • Run your captures from your BMS
  • Trigger a global discovery from your BMS during capture to get all devices
  • Perform packet captures on each MS/TP network individually
  • Filter your wireshark packet captures for BACnet traffic only

Now drag and drop your PCAP file into OptigoVN and find out how your system is doing!


OptigoVN’s network health scoring provides the industry’s most accurate and detailed evidence of OT Network health, allowing technicians to pinpoint the root causes of issues, and prioritize steps toward network health remediation. Ready to upload and analyze files today? Create a free account and get started today

Share This Post

Get Regular Updates to Your Inbox