Exploring the BACnet server by the client
The most common task we are facing is to integrate data from a BACnet server (such as a heat pump) into some client software – either a visualization or a PLC that uses that data for a regulatory task. For other protocols, such as Modbus, we need a table from the server manufacturer with address and value descriptions – their formats, types, meanings, etc. BACnet server, due to its services, objects and their properties, can request this information to a certain extent to provide itself.
BACnet can use different buses for communication. Next, we focus on BACnet/IP. Suppose that a BACnet server is a device that has an Ethernet interface with a known IP address. In our case it will be PLC with IP address 192.168.1.17. The computer with the BACnet explorer client, in this case the Yabe program, has an IP address of 192.168.1.44 – the address is set to be in the same logical network. BACnet communicates on UDP protocol, the server listens on UDP port 47808 by default. This port number is reserved by IANA, and has been chosen to be remembered in hexadecimal form – BAC0.
Start Yabe and select Add device from the menu by right clicking on Devices.
Fig. Yabe – Add device
In the dialog, select the local network interface in the BACnet/IP over UDP field to be used by the program.
Fig. Yabe – Search
This is an important step. The IP address (Local Endpoint) is the outgoing address from which queries will be sent to the network. For example, if we selected the IP address of the Wi-Fi interface, the request packet would not reach the BACnet server at all. The BAC0 port is the destination port on the BACnet servers to which queries are directed. (The local port from which queries are sent is automatically assigned by the operating system from the list of free ports.) Click on Add button to confirm the selection.
Yabe sends several Who-Is search queries. The transmission channel (UDP port 47808) and the device found there appear in the tree.
Fig. BACnet devices in YABE
Wireshark is used for packet analysis. If everything works, we will not need it – the following figure is for illustration only. The “bacnet” parameter (green field at the top) was used as a filter, removing most of the other packets that occurred on the network interface from the list. In the blue field, BACnet packet listing, we see that the client with IP address 192.168.1.44 has sent a query using Who-Is as broadcast (broadcast is identified by the destination address being – in this IP network – 192.168.1.255). To this broadcast, more exactly to the question “is there a BACnet device?” addressed to all devices in the logical network, I-Am (“I am here”) answered the only device: PLC with IP address 192.168.1.17. (We see that the query was repeated three times with an interval of 1 second, and the same response came each time.)
The telegram of the query is further analyzed in the left window. More interesting is the answer in the box on the right. We can see there how the server revealed itself,
- that it contains a Device object with instance number 1;
- that the Maximum APDU Length Accepted parameter is 1476 (whatever it means);
- supports segmentation in both directions (dtto);
- that the device manufacturer is Domat Control System – it is identified by the (again standardized) Vendor ID, in this case 384.
Interestingly: Vendor ID is assigned free of charge by ASHRAE. By the end of 2019, almost 1,200 of them were allocated, of which 13 were companies from the Czech Republic. This number is used to identify the manufacturer of the equipment.
Fig. Question Who-Is and Answer I-Am
The client then usually initiates further communication and asks for other properties of the Device object, for a list of objects on the device, for properties of objects and their values, etc. Then the data can be viewed in a tree structure. If you leave Wireshark on, you will see the appropriate questions and answers in its window. We can also change the properties that are writable from the Yabe client.
Fig. View the contents of BACnet devices by the Yabe client
In the right Yabe window are the properties of the object and their values. Most likely we will be interested in the Present Value property, which in the case of Analog Input indicates the measured value, here 23.56. The Units property specifies that the value is in °C and therefore it menas temperature value, again using standardized numbering (62 means °C). The complete description and enumerations of engineering units can be found in the standard, but a “decent” client translates the unit number as here to a symbol or text (“Degrees Celsius”).
Another useful feature is Description. There we usually find what the object actually represents. Typical text in this property is “Outside Temperature”, “tNabehZapad”, “Otacky privod” (it means reverse lead), etc.
What if it doesn’t work?
I don’t know the IP address of the BACnet server
If it is in the same logical network as the client’s BACnet address, detection may still occur. However, we recommend that you check the address with your vendor or programmer to make sure that other network parameters (mask, gateway, UDP port) are set correctly.
The address is on the same network, but the client does not detect anything
Broadcasts can be blocked by a firewall on the computer running the client. Let’s temporarily disable firewall and virus protection. Broadcasts also do not have to pass through a router or VPN: it is better to use a switch for attempts. It can also help to disable or disconnect other – unused – network interfaces, such as wi-fi cards, VPNs, etc. Let’s check in Wireshark that the client is sending telegrams as broadcasts on the same network as the server: correct broadcast address 192.168.1.255.
Broadcasts leave correctly, but the client doesn’t detect anything
Some BACnet servers may (unreasonably for norm) require that port 47808 is used also on the client side as outbound. If the client allows it, try to set the port on it.
For other BACnet clients, the procedure is similar, some programs do not broadcast network broadcasts and require the specific IP address of the BACnet server to communicate with.
So we can already explore objects in a “hand-held” client. However, as we set up communication in a PLC development environment or visualization, we may encounter other parameters we haven’t encountered yet. We’ll look at them in the next section.
All parts can be found HERE.