BACnet discovery

How BACnet discovery works

BACnet device discovery starts when a client sends Who-Is and devices answer with I-Am. I-Am identifies a device and reports facts such as its maximum APDU and segmentation support. Point discovery is a second step: read the device Object_List, enumerate its entries, and then read useful properties for each object.

Reviewed 2026-07-15

The discovery sequence

StepBACnet exchangeResult
1Client sends Who-IsA general request or a device-instance range asks devices to identify themselves
2Device sends I-AmThe client learns the device identifier, address, maximum APDU, segmentation support, and vendor identifier
3Client reads Device Object_List index 0The client learns the reported number of objects
4Client reads Object_List entries by indexThe client builds a bounded object inventory without requiring one large array response
5Client reads object propertiesObject name, units, present value, status, and other supported properties add usable context
6Client records completion or failureDownstream users can distinguish a complete inventory from a partial or failed scan

Broadcast and targeted discovery are different

A local BACnet/IP broadcast can find unknown devices on the broadcast domain. IP routers do not normally carry that broadcast to another subnet. BACnet routing features such as BBMD and foreign-device registration exist for broadcast distribution across IP subnets.

A targeted unicast request can reach a known IP over an ordinary routed path, but field devices do not all answer directed Who-Is in the same way. A successful ping or UDP path also does not prove that a device will answer Who-Is.

  • Use broadcast when the local network is unknown and you are on the correct broadcast domain.
  • Use a target when the device IP is known or the path crosses a VPN or routed network.
  • Use BBMD or foreign-device support when you must discover unknown devices on another BACnet/IP broadcast domain.
  • Treat zero I-Am responses as a result to diagnose, not proof that no BACnet device exists.

How Sondwave handles discovery

Sondwave sends broadcast or targeted Who-Is, waits two seconds per probe for I-Am responses, and enumerates Object_List entries by index. It batches metadata reads to the device APDU size and keeps protocol addresses opaque to the core.

For an explicit target that stays silent after directed Who-Is, Sondwave tries a directed ReadProperty against the wildcard Device object. This covers devices that answer property reads but do not return I-Am over the routed path.

The fallback requires a known target. Finding unknown devices on another BACnet/IP broadcast domain still requires BBMD or foreign-device support.

How to check that discovery is complete

  • Compare the reported Object_List length with the number of entries walked.
  • Separate all objects from point-like objects. Device, schedule, trend, and proprietary objects may not become points.
  • Record unreadable entries and per-object errors instead of subtracting them silently.
  • Do not mark an inventory complete when a configured object cap stopped the walk.
  • Fail explicitly when a hostile or impossible length exceeds the tool safety ceiling.
  • Keep the prior known inventory when a replacement scan fails before a complete result.

References