BACnet SC how to monitor on wireshark

edit

A terse indication might read like so :-

• Can't use Edge nor IE - they don't export the keys; works with Firefox

'User' Environment Variable: 'SSLKEYLOGFILE' (- with '.log' file extension); e.g.:

'D:\Tmp\SslKeys.log'

• Or, for Chrome ?

  "C:\Program Files\Google\Chrome\Application\chrome.exe" --ssl-key-log-file=D:\Tmp\SslKeys.log

  You MUST be sure chrome totally be closed. And then reopen a fresh new chrome instance.
  
  Chrome has a default options let chrome run in background enabled.
  
  Double check your taskbar of windows or processes lists to make sure there's no chrome instance exists.
  
  That's why '--ssl-key-log-file' isn't working, chrome stills alive after you click exit button.
  

• In Wireshark

'Edit' -> 'Preferences' : 'Protocols' -> 'TLS' x 'Edit' -> 'Preferences' : 'Protocols' -> 'SSL'

'(Pre-)Master-Secret log filename'

    E.g.:  D:\Tmp\BACnetSC-RefImpl-TestHub_KeyLog.txt

(If you have a private key from a node, register it by clicking Edit button and adding it to the 'RSA keys' list.)

Some antiviruses (like 'Avast') inject 'the SSLKEYLOGFILE' environment variable into well-known processes like 'firefox.exe' and 'chrome.exe'. If you rename the browser executable file and launch that, then the environment variable won't be overridden.

And then (as a start) you should see something half-similar to this:

Node : WSS - Upgrade Hub : WSS - '101 Web Socket Protocol Handshake' 'Connect-Request' - Request to accepting peer to accept a WebSocket connection for BACnet/SC 'Connect-Accept' - Response to initiating peer to accept a WebSocket connection for BACnet/SC

Node -> Hub [Full request URI: https://127.1.3.1:4443/]:

GET / HTTP/1.1
Connection: Upgrade
Host: 127.1.3.1:4443
Sec-WebSocket-Key: nJV1o4FJa5s6tpoCb1aukw==
Sec-WebSocket-Protocol: hub.bsc.bacnet.org
Sec-WebSocket-Version: 13
Upgrade: websocket

Hub -> Node:

HTTP/1.1 101 Web Socket Protocol Handshake
Connection: Upgrade
Date: Thu, 16 Jun 2022 14:17:06 GMT
Sec-WebSocket-Accept: TILNyK3b8Qnn66fD2MDWO08LTt0=
Sec-WebSocket-Protocol: hub.bsc.bacnet.org
Server: TooTallNate Java-WebSocket
Upgrade: websocket

Node -> Hub {WSS}:

Building Automation and Control Network LPDU
    Function: Connect-Request (0x06)
    Control: 0x00
        0000 .... = Reserved Bits: valid (0)
        .... 0... = Originating Virtual Address: absent
        .... .0.. = Destination Virtual Address: absent
        .... ..0. = Destination Options: absent
        .... ...0 = Data Options: absent
    Message ID: 0x0000
    Payload (Connect-Request)
        VMAC Address: Private_11:11:11 (11:11:11:11:11:11)
        Device UUID: aac37693-4138-452f-8986-7bc1a389397c
        Maximum BVLC Length: 1600
        Maximum NPDU Length: 1497

Hex Dump:

0000   06 00 00 00 11 11 11 11 11 11 aa c3 76 93 41 38
0010   45 2f 89 86 7b c1 a3 89 39 7c 06 40 05 d9

Hex Stream:

06000000111111111111aac376934138452f89867bc1a389397c064005d9

Hub -> Node {WSS}:

Building Automation and Control Network LPDU (Link Protocol Data Unit)
    Function: Connect-Accept (0x07)
    Control: 0x00
        0000 .... = Reserved Bits: valid (0)
        .... 0... = Originating Virtual Address: absent
        .... .0.. = Destination Virtual Address: absent
        .... ..0. = Destination Options: absent
        .... ...0 = Data Options: absent
    Message ID: 0x0000
    Payload (Connect-Accept)
        VMAC Address: Private_11:11:11 (11:11:11:11:11:11)
        Device UUID: aac37693-4138-452f-8986-7bc1a389397c
        Maximum BVLC Length: 1600
        Maximum NPDU Length: 1497

Hex Dump:

WSS:   82 1e
0000         07 00 00 00 11 11 11 11 11 11 ...