BVLC Layer 6 thru 8 messages should be implemented

[duffy-ocraven]

In the bvlc_function layer atop UDP which your work identified and which zeek-plugin-bacnet has handled: switch(bvlc_function) { case 0x00: ##! BVLC_RESULT case 0x05: ##! REGISTER_FOREIGN_DEVICE case 0x01, ##! WRITE_BROADCAST_DISTRIBUTION_TABLE 0x02, ##! READ_BROADCAST_DISTRIBUTION_TABLE 0x03: ##! READ_BROADCAST_DISTRIBUTION_TABLE_ACK case 0x04, ##! FORWARDED_NPDU 0x09, ##! DISTRIBUTE_BROADCAST_TO_NETWORK 0x0a, ##! ORIGINAL_UNICAST_NPDU 0x0b: ##! ORIGINAL_BROADCAST_NPDU

You have a comment there in the consts.zeek: [5] = "Register Foreign Device", ##! 6-8 is not assigned for IPv4? [9] = "Distribute Broadcast To Network", but they are assigned, as follows:

BVLC Function: 1-octet X'06' Read-Foreign-Device-Table BVLC Length: 2-octets X'0004' Length, in octets, of the BVLL message

BVLC Function: 1-octet X'07' Read-Foreign-Device-Table-Ack BVLC Length: 2-octets L Length L, in octets, of the BVLL message List of FDT Entries: N*10-octets

BVLC Function: 1-octet X'08' Delete-Foreign-Device-Table-Entry BVLC Length: 2-octets X'000A' Length, in octets, of the BVLL message FDT Entry: 6-octets

The standard in 135-2016 edition, starting advocating a new and different methodology to achieve those functions, but most of the installed base are older. These designate themselves using a network-visible Protocol_Revision and if that is 16 or less, then they are still implementations which will use the older method.