Capturing MS/TP from the browser

Howdy folks. Today's post is about an experimental new tool for creating packet captures of MS/TP networks under duress. There are lots of clever ways to troubleshoot a BACnet network but nothing quite as trusty as a good old-fashioned PCAP.

Let's jump right to the headline. I built a new browser-based tool for MS/TP and now you can make PCAPs without installing anything. Go check it out at record.mstp.dev, I'll wait.

Alternatives

There are a few different ways to capture MS/TP traffic, each with their own pros and cons. Let's get those out of the way first.

• Your MS/TP router might support this natively through an embedded web interface or a magic File object hidden somewhere. However, if the router is the device you're trying to troubleshoot, this won't work.
• You can use mstpcap, an open-source tool developed by Steve Karg. Steve is a BACnet legend and mstpcap works pretty well. This is the only way I know to get real-time MS/TP data in Wireshark and if this works for you, you should use it. The only challenge is getting it past your friendly local IT department.
• There are a few companies that make specialized MS/TP dongles. I do not have firsthand experience using these dongles.

Those tools are great, but sometimes you need a packet capture and you don't have all the tools you need. Maybe the network you're trying to troubleshoot is halfway across the country and your friend on the other end of the phone isn't great with Wireshark. Maybe you're up in the ceiling and now just isn't a good time to figure out how to get administrative privileges on your vintage 2009 Dell laptop. Sometimes you just have to live off the land. With all that in mind, I present record.mstp.dev.

MS/TP? In my browser?

Chrome (and other Chrome-based browsers like Edge) recently added an API that allows you to access serial ports directly from JavaScript. That and a long plane ride back from the October BACnet meeting was all it took to make this tool possible.

Introducing record.mstp.dev. The URL is short enough that you can read it to someone over the phone or shout it across a noisy mechanical room. Here's how you use it.

1. Hook up your RS-485 dongle and open up record.mstp.dev.
2. Pick your capture filter and baud rate from the drop downs.
3. Hit record.

The website will ask for permission to use your serial port, and then it will ask where you want to save your PCAP. Packets will begin streaming from the serial port, through your browser, and down onto your hard drive.

The coolest part? All the data processing happens local to your computer. Try it out for yourself. Load up the website, turn off your WiFi, and try capturing some traffic.

One more thing, Capture Filters

MS/TP is chatty: an idle network may have well over 100 packets-per-second whizzing by. This is by design. MS/TP is a token-passing protocol, that's what the TP stands for. This is useful information if you're trying to find a lost token, but it's a lot of noise if you just want to hear what devices are saying to each other.

When you start a capture, you can choose from three different filters:

1. Data Frames: This will only capture frames that have data attached to them. This includes requests like Read-Property and the related responses.
2. Valid Frames: This captures all the data frames above, plus all of the frames that are used to keep track of the token and pass it around.
3. Everything: This captures everything above, plus any malformed frames.

Here's what a capture looks like if you pick Data Frames.

Congratulations, you're now an expert. Go forth and capture.

What's next?

It's easy to say when a network is working: all your packets show up on time. It's even easier to say when a network is broken. What's tricky is all the space in between.

What if you want to just "get the feel" of an MS/TP network? That's a puzzle for next time...

-NB