March 2011 - Frank Schubert of MBS GmbH had an interesting article in the February 2011 issue of BACnet International Journal entitled BACnet Protocol Analysis Using Wireshark. This free open-source software is very popular when analyzing protocols over Ethernet and as the article points out, it can be used to analyze BACnet MS/TP traffic as well. In order to monitor network traffic, your tool needs to be able to see the network traffic which is tricky with a switched-Ethernet network. Ethernet switches will pass directed messages only between devices party to the message. This means that a protocol analyzer attached to a port on the same Ethernet switch that is passing the message will not see the message. In the article Frank suggests three ways to connect a computer running Wireshark to the network being monitored while avoiding the switched-Ethernet problem.
The first method is to use an Ethernet hub but as he says installing a 10 Mbps hub on a system that was operating at 100 Mbps forces a lower throughput. The resulting system is no longer reflective of the system without the hub. We would also add that finding an Ethernet hub is difficult anyway.
The second approach is adding a passive Test Access Point (TAP). He says this approach is pricy.
The third approach, which he recommends, is to use a switch with port-mirroring. Port-mirroring is a feature that is found in managed switches and Contemporary Controls' managed switches have this feature. With port-mirroring, a port on the switch can be configured to see all the traffic on a designated port. The computer running Wireshark attaches to the mirrored-port and the operator changes the designated port based upon what port on the switch he wants to monitor. Frank suggests that a switch with port-mirroring capability be installed in each equipment room that has devices attached to the IT backbone.
We suggest that there is a fourth option and that is Contemporary Controls' EISK5-100T/H Diagnostic Switch. As we mentioned in the last newsletter, the Diagnostic switch retains ALL the features of an unmanaged switch such as auto-negotiation and auto-MDIX except for one significant feature – it does not learn. Because it does not update its database of source MAC addresses and switch port pairings, the Diagnostic Switch continues to flood all ports with messages as if they were broadcast messages. This allows protocol tools such as Wireshark to capture any network traffic that goes through the switch regardless of the port location of the traffic. The Diagnostic Switch only has five ports so if more ports are needed, Diagnostic Switches can be cascaded.
Active Test Access Point Here is a suggestion for your next project. Instead of installing a managed switch with port-mirroring in each equipment room, install a five-port Diagnostic Switch in each control panel that has an Ethernet connected BACnet building controller (B-BC). Just about all the traffic you would be interested in is going to be related to the building controller. Insert the Diagnostic Switch between the building controller and the IP network. If the building controller is located at the end of a single Ethernet drop, the Diagnostic Switch will act as a three-port active tap with one connection to the building controller, one connection to the IP network and one connection reserved for a protocol tool such as Wireshark running on a laptop. In fact with this setup you gain two additional spare ports. It is not necessary to leave the laptop connected. Just connect it when you need to. The Diagnostic Switch is active in the network at all times but will not reduce any communications throughput other than the normal latency of a store-and-forward Ethernet switch. Just plug in you laptop when you want to do protocol analysis, configure a device on-line or to observe web pages. It is very convenient and the Diagnostic Switch is priced the same as a standard five-port unmanaged switch.
If the building controller is located mid-span of the IP network with a backbone connection coming into the control panel and exiting the control panel, use the Diagnostic Switch for all connections leaving two spare connections – one for the laptop and one additional spare. You can also use the spare port for connection to another control panel. With either of these situations you will be able to observe all traffic from all ports but throughput could be impacted due to the flooding of traffic. However, with modest traffic you might not even notice the difference plus you gain the convenience of having a network diagnostic port ready at all times to be used.
Visit the Skorpion Diagnostic Switch product page to learn more.