Optigo Logo to return to homepage

Secure your packet captures

Wireshark

Your OT network’s acting funny, and you have no idea why. You need to get a packet capture (pcap) and upload it into Visual BACnet, but the IT department’s dead-set against it: they won’t let you upload unless you scrub the files of confidential information, so they can’t be traced back to the building.

Your OT network’s acting funny, and you have no idea why. You need to get a packet capture (pcap) and upload it into Visual BACnet, but the IT department’s dead-set against it: they won’t let you upload unless you scrub the files of confidential information, so they can’t be traced back to the building.

If your IT department doesn’t like you pulling pcaps to analyze BACnet health, your best bet is to anonymize the files. Changing the IP and MAC addresses will get rid of any identifying information. Then, you can dig into pcaps, troubleshoot, and solve problems with ease.

Read our instructions below, or check out the post on our support forum for a step-by-step guide with screenshots. Creating an account is free, and will give you access to all sorts of support articles.

  1. Launch Wireshark. In the Filter bar in the top left side, filter “bacnet || bacapp”.
  2. Export the specified packets (all those displayed) as .pcap files.
  3. With the filtered file still open in Wireshark, navigate to Statistics → Endpoints → Ethernet, select Copy in the bottom left hand corner, and paste into a secure document. Do the same for IPv4, navigating to Statistics → Endpoints → IPv4, and copy-pasting the data into a document. Save this for your future reference, or use it to map out how you would like to replace numbers in your IP and MAC addresses. For full screenshots of this, visit our support forum
  4. Next, find the BACnet-only .pcap file you saved, and open it in WireEdit.
  5. In Find What, enter the portion of the IP addresses that you would like to replace. (For example, 128.36.) In Replace With, enter the numbers that you would like to substitute in. (For example, 10.36.) Select Replace All. In this example, an IP address that read 128.36.10.21 would become 10.36.10.21.
  6. In Find What, enter the portion of the MAC addresses that you would like to replace. (For example, D0:D9:4F:) In Replace With, enter the numbers that you would like to substitute in. (For example, A1:B2:C3:) Select Replace All. In this example, a MAC address that read D0:D9:4F:55:66:77 would become A1:B2:C3:55:66:77. It doesn’t matter what numbers you substitute in for your IP and MAC addresses, as long as it doesn’t identify your network and devices and you keep track of the original addresses.
  7. Finally, you’ll want to fix Cyclic Redundancy Check (CRC) errors, which were created from modifying the packets. Click Edit from the top menu bar and select → Fix Errors.
  8. Save.
     

Happy (secure) troubleshooting!

Still worried about your packet captures? Read five ways to securely analyze BACnet data

Share This Post

Get Regular Updates to Your Inbox