Wireshark Basics for BAS Techs: 7 Filters That Solve 80% of Problems
- Alex Khachaturian
- Oct 22
- 7 min read
Updated: Oct 24
Promise: This tool has saved my hide so many times it’s worth the effort to learn. Wireshark is hard at first, this guide makes it simple for BAS work.
Heads-up: There are several books that can massively accelerate this learning path, if you’re willing to lean in. I included two quick book sections (Educational + Just for Fun) farther down.
TL;DR
Copy/paste the 7 filters below, they find most BACnet/IP + MS/TP issues fast.
Add 5 columns (time, stream, zero-window, hop count, checksum) and the picture pops.
Capture MS/TP the right way (USB-to-RS-485 + mstpcap) and use a SharkTap for clean IP captures.
Key Takeaways
A flood of MS/TP “Reply to Poll for Master” frames usually means token problems on the trunk.
BBMD loops scream Forwarded-NPDU (0x04) with hop counts racing toward zero.
TCP “zero window” means the receiver app can’t keep up—don’t blame the wire first.
Endpoint captures can show false checksum failures; validate with a TAP.
Seconds-since-start timebase + time references turn guesswork into clear sequences.
Quick Links
Next Reads
Story Time
I was a brand-new controls tech in a Los Angeles server room, rows of cold racks, humming fans, nothing out of place… except one lonely chair facing a single console.
On the screen: a waterfall of characters racing downward. Not logs. Packets. I didn’t fully get it yet, but whoever sat in that chair spoke the language of the wire.
The IT Director found me staring and grinned. He had Wireshark running 24/7 with custom color rules, filters, and alerts that pinged his phone when anything “off” touched the network. It felt like that ‘80s hacker-movie moment, except real: plug in the wrong device and he knew in seconds.
That afternoon flipped a switch for me. It wasn’t magic, it was method. Read the traffic, and you stop guessing. Years later, in critical facilities and government sites, that lesson only got louder: packets don’t lie.
This guide is the playbook I wish I had then, 7 copy-paste filters, 5 must-add columns, and capture habits you can use today. Whether you’re chasing a chatty MS/TP trunk or a BBMD loop, you’ll go from “I think” to “Here’s the packet that proves it."
The 7 Filters (Copy/Paste)
Paste these into Wireshark’s Display Filter bar.
1) Only BACnet traffic (all layers)
bvlc || bacnet || bacapp
Use this if sites run BACnet on non-standard UDP ports, too.
2) BACnet/IP default port (quick sanity check)
udp.port == 47808
(47808 = 0xBAC0). Great first pass when you’re unsure you’re even on the right subnet.
3) MS/TP token trouble indicator
mstp.frame_type == 2
Frame type 2 = Reply to Poll For Master. A flood of these typically means token loss / re-creation on the trunk. Treat it as a symptom, not a verdict, then check physical layer and addressing.
4) Low hop count (loop or long path)
bacnet.hopc < 10
Hop Count starts at 255 and decrements per router; values getting small quickly can indicate routing issues or loops.
5) Forwarded NPDU (BBMD involved)
bvlc.function == 0x04
Forwarded-NPDU frames are emitted by BBMDs. If two BBMDs forward each other’s broadcasts, you’ll see storms. Switch time to Seconds Since Start to spot periodic bursts.
6) TCP “receiver can’t keep up”
tcp.analysis.zero_window || tcp.window_size_value == 0
Zero-window = the receiver’s buffer is full, think overloaded client/app, not cabling. Add tcp.stream and tcp.window_size_value as columns to see which flow is choking.
7) Bad checksums (quick red flags)
tcp.checksum_bad || udp.checksum_bad
Beware: offload can mark some checksums “bad” on endpoint captures. If in doubt, re-capture via TAP.
Read a “Conversation” the Right Way
Click any BACnet/IP packet → Right-click → Follow → UDP Stream (for BACnet/IP) or TCP Stream (for app traffic riding TCP).
You’ll see the request/response in order and auto-filter to that one stream.
For MS/TP captures imported into Wireshark, drill into BACnet NPDU/APDU for services (Who-Is, I-Am, ReadProperty, etc.).
Set View → Time Display Format → Seconds Since Beginning of Capture.
Right-click → Set/Unset Time Reference on pivotal packets to get exact deltas.
Power Columns to Add (right-click a field → “Apply as Column”)
tcp.stream — stream identity (pairs perfectly with Follow Stream)
tcp.window_size_value — zero-window smoking gun
bacnet.hopc — hop count trend
bvlc.function — BBMD role and Forwarded-NPDU
frame.time_delta_displayed — precise between-event timing
Fast, Clean Captures (Field-Proven)
A) IP/Ethernet (plug-and-go)
Use a SharkTap inline: two Network ports sit between devices; the TAP/USB port goes to your laptop. Wireshark sees both directions with no switch/SPAN quirks. It’s portable, passive, and zero-config.
Signals you need a TAP (not SPAN):
Mirror ports are busy / not mirrored bidirectionally
You miss errors/undersized frames
Timestamps look bursty or out of order
A physical TAP removes those question marks.
B) MS/TP (RS-485) the right way
You’ll need a USB-to-RS-485 adapter and a capture-to-pcap utility (e.g., mstpcap.exe) to convert MS/TP to a format Wireshark understands, then open the pcap.
MS/TP capture checklist
Clip in at the trunk, not a long stub
Bias/termination correct (120 Ω each end)
Keep stubs short
If you see Header/Frame checksum failed in MS/TP, think wiring/termination/noise first (check mstp.hdr_crc)
Wireshark Basics Color Rules That Make Anomalies Pop
Import once and you’ll never go back: View → Coloring Rules → Import. (You can export and share team-wide.)
Starter rules:
COV / Who-Is / I-Am: bacapp.unconfirmed_service in {2,8}
Forwarded-NPDU (BBMD): bvlc.function == 0x04
MS/TP PFM/RPM: mstp.frame_type == 1 || mstp.frame_type == 2
Errors: tcp.checksum_bad || udp.checksum_bad || bacnet.rejectreason
Zero-window: tcp.analysis.zero_window
Good RS-485 Wiring & Color Conventions for BACnet MS/TP
Field-friendly consistency beats “whatever was on the truck”:
Blue = A(+), White/Blue = B(–) across the entire trunk
Daisy-chain only; keep stubs as short as possible
Terminate 120 Ω at each end (no T-taps)
Use shielded, low-cap twisted pair (e.g., Belden 9841)
RS-485 is differential—both wires carry data. Keep polarity consistent and double-check vendor labeling (A/B, +/– varies)
Troubleshooting Cheats (Symptom → Cause → Fix)
1) MS/TP flooding with Reply to Poll for Master
Symptom: mstp.frame_type == 2 appears in bursts or continuously.
Cause: Token loss/re-creation on the trunk (termination/bias issues, long stubs, duplicate MAC, noisy wiring).
Fix: Verify 120 Ω termination at both ends, confirm proper bias, shorten/remove stubs, check shield/ground continuity, ensure unique MAC and correct baud, then retest.
2) BBMD loop or mis-routing
Symptom: bvlc.function == 0x04 repeats and bacnet.hopc trends toward low values quickly.
Cause: Multiple BBMDs on the same IP subnet or bad BDT/FD entries causing forwarded broadcast storms.
Fix: Enforce one BBMD per subnet, audit BDT/FD tables, clear stale foreign device registrations, and recheck periodicity with Seconds Since Start timebase.
3) Sluggish TCP traffic / app timeouts
Symptom: tcp.analysis.zero_window or tcp.window_size_value == 0 on one or more streams.
Cause: Receiver application/OS can’t drain buffers (CPU/disk bottleneck, AV/VPN hooks, bad autotuning).
Fix: Troubleshoot the endpoint first; confirm TCP autotuning is normal:
netsh interface tcp show global
netsh interface tcp set global autotuninglevel=normal
Review CPU/disk, AV/VPN, and app load; retest with TAP capture.
4) “Bad checksum” everywhere
Symptom: tcp.checksum_bad / udp.checksum_bad flags on many packets.
Cause: Checksum offload artifacts on endpoint capture—or real layer-1/2 corruption.
Fix: Re-capture via hardware TAP or reliable SPAN. If errors persist on TAP, suspect cable/NIC/switchport; if only on host captures, it’s offload—safe to ignore.
Field-Proven Troubleshooting Paths
Outcome 1: Prove whether it’s the wire or the workload
Capture with TAP (not endpoint).
Set Seconds Since Start; mark the first bad packet as REF.
Add columns: tcp.stream, bacnet.hopc, bvlc.function, tcp.window_size_value, frame.time_delta_displayed.
Apply tcp.analysis.zero_window || tcp.window_size_value == 0.
If zero-window appears, it’s receiver-side pressure, not wiring. Escalate to app/OS.
Outcome 2: Catch double-BBMD or mis-routed broadcasts
Filter bvlc.function == 0x04 and bacnet.hopc < 10.
Scan for bursty periodicity (e.g., every N seconds).
Confirm one BBMD per subnet; review BDT/FD tables.
Remove duplicates, clear FD registrations, and retest.
Outcome 3: Stabilize a flapping MS/TP trunk
Filter mstp.frame_type == 2.
If counts are high, physically inspect termination, bias, length, shield.
Verify unique MAC addresses and baud.
Shorten or remove stubs; re-land to daisy-chain; retest.
Outcome 4: Zoom into the one conversation that matters
Start broad: bvlc || bacnet || bacapp.
Identify the odd burst → Follow UDP Stream.
Note deltas with time references.
Validate whether it’s BACnet/IP service timing, MS/TP delay, or app behavior.
Bonus: Windows Network Stack Quick-Checks
Run in Admin CMD/PowerShell:
netsh interface tcp show global
netsh interface tcp show supplemental
netsh interface tcp set global autotuninglevel=normal
netstat -p tcp -n
Recommended Books (Educational)
Mastering TShark Network Forensics
Written by: Chris Sanders
Best for: CLI-first packet work when GUIs aren’t available.
What you’ll get: Filters, fields, and repeatable CLI capture/parse workflows.
Gigabit Ethernet
Written by: Rich Seifert
Best for: Understanding why links behave the way they do under load.
What you’ll get: Timing, buffering, and real-world Ethernet behavior.
TCP/IP Illustrated, Volume 1 (Second Edition)
Written by: W. Richard Stevens & Kevin R. Fall
(Yes, this older edition remains the most practical explanation for instant Wireshark application.)
Best for: Seeing protocols in action with traces, perfect Wireshark companion.
What you’ll get: Mental models that transfer directly to follow-stream analysis.
Practical Packet Analysis
Written by: Chris Sanders
Best for: Getting productive fast with real scenarios.
What you’ll get: End-to-end workflows you can copy on day one.
Recommended Books (Just for Fun)
Ghost in the Wires
Written by: Kevin Mitnick
Why it’s fun: Social engineering tales that sharpen your risk antenna.
Takeaway: Users, not cables, are often the bottleneck.
Where Wizards Stay Up Late
Written by: Katie Hafner & Matthew Lyon
Why it’s fun: The creation of the internet, context for the packets you’re reading.
Takeaway: Protocols are people’s decisions under constraints; read them that way.
Read the Traffic Like a Pro (Reusable Workflow)
Filter to bvlc || bacnet || bacapp.
Sort by Time (Seconds Since Start).
Mark the first bad event as REF.
Add columns: tcp.stream, bacnet.hopc, bvlc.function, tcp.window_size_value.
Follow Stream on the suspect flow (UDP for BACnet/IP).
Toggle color rules (zero-window, Forwarded-NPDU, COV, errors).
Validate: if MS/TP, check mstp.* fields and counts; if IP, consider a SharkTap capture to remove doubt.
Field Checklist
☐ Filters pasted; columns added
☐ Time format seconds since start; REF set
☐ BBMD check: bvlc.function==0x04, hop count trend
☐ MS/TP check: floods of PFM/RPM (mstp.frame_type 1/2), header checksum issues
☐ TCP check: zero-window / stream identity
☐ Capture sanity: TAP or good SPAN, not endpoint only
☐ RS-485 physicals: termination, bias, stub length, polarity/colors consistent
Results & ROI
5–10 minute root cause on issues that used to take hours
Fewer truck rolls from mis-wired MS/TP
Credible vendor proof (pcap + annotated screenshots)
Team lift: Standard filters + columns = shared language
Wrap-Up
If you do only one thing today, save the 7 filters and add the 5 columns. Next time a site goes sideways, you’ll move from “I think” to “Here’s the packet that proves it.”
This is how you stop guessing and start translating!
Comments