CODEWITHSUNDEEP
network-programmingnmapbacnet
Agrid
Agrid

Reputation: 1

Cannot Find BACnet Device

I am quite new to the BACnet protocole but I am facing some troubles finding a device on a network.

Basically, I have a setup on a network 128.10.100.XXX/24 where I have multiple devices, as my nmap scan will show

root@xxx:/home/xxx# nmap -sP 128.10.100.120/24
Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-02 05:11 UTC
Nmap scan report for 128.10.100.1
Host is up (0.00076s latency).
MAC Address: 00:50:06:XX:XX:XX (TAC AB)
Nmap scan report for 128.10.100.150
Host is up (0.00059s latency).
MAC Address: 00:80:4F:XX:XX:XX (Daikin Industries)
Nmap scan report for 128.10.100.160
Host is up (0.00024s latency).
MAC Address: 00:50:06:XX:XX:XX (TAC AB)
Nmap scan report for xxx (128.10.100.120)
Host is up.

When I run specific scans for BACnet, all devices have an open 47808 port:

Starting Nmap 7.80 ( https://nmap.org ) at 2022-11-02 13:08 UTC
Nmap scan report for 128.10.100.150
Host is up (0.0093s latency).
Not shown: 999 closed ports
PORT      STATE         SERVICE
47808/udp open|filtered bacnet
MAC Address: 00:80:4F:XX:XX:XX (Daikin Industries)

However, when I am trying to use BACnet utilities (BACpypes in python or bacnet-stack in node.js), no device is found. I tried multiple libraries and various setups (modifying the broadcast address, etc...) without any success.

I struggle to understand the reason...

Thank you in advance for your help, A.

Upvotes: 0

Views: 1664

Answers (3)

DennisVM-D2i
DennisVM-D2i

Reputation: 488

Things worth considering :-

Tools such as YABE, VTS and Wireshark - to learn from the success cases/successful instances of communication.

The network card (NIC) that your tools and/or libraries are using/selecting to send the ('service' request) messages - e.g. definitely don't mix routable addresses with non-routable 'private' addresses (between the BACnet 'client' IP & the 'server' IP).

(UDPv4-only) 'Broadcasts' will only work upon the local network (- if a BBMD is not present & correctly set-up to relay the broadcast on to another part/hop of the "internetwork"/connected networks).

If you're unlucky - with a particular device, your client port just might have to be 47808/0xBAC0; and just possibly for the broadcasts too.

Also try directed/'unicast' traffic/'service' requests too - e.g. attempting to read the device object instance # (DOIN) of a target device; check you've got/are specifying the correct DOIN when targeting/firing a request at a device.

Does the target device have a BACnet router or BACnet gateway in front of it (- therefore would also need the inclusion of a DNET & DADR paired values as part of addressing it)?

If so, are you talking the same variant of BACnet, e.g. IP - as in BACnet/IP between both the (BACnet) 'client' & 'server'/serving device?

If it's a commercial/enterprise device, does it have a IP whitelist - to allow for the processing of incoming requests?

Upvotes: 0

Edward
Edward

Reputation: 354

Fire up wireshark with a capture filter "port 47808", then look at the who-is from your app vs the who-is from YABE.

Also check the netmask on both devices match... this will affect the broadcast messages.

Speaking of which, try a directed who-is message to the controller from your app to see if the controller responds.

Upvotes: 1

Edward
Edward

Reputation: 354

Have you validated your setup using 3rd party tools such as YABE ?

Upvotes: 1

Related Questions