Ask Your Question
0

NMEA 2000 Packet Capture

asked 2020-06-20 23:34:33 +0000

Perdog gravatar image

updated 2020-06-21 00:55:51 +0000

Guy Harris gravatar image

Sir or Ma'am,

Will you be developing filters/capabilities to capture and dissect NMEA 2000 traffic? It would be very useful to the maritime cyber security community.

Thank you for your time.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-06-21 01:09:46 +0000

Guy Harris gravatar image

According to the Wikipedia page to which I added a link in your question, "Electrically, NMEA 2000 is compatible with the Controller Area Network ("CAN Bus") ...", so, if it uses CAN as the link layer, whatever mechanisms can be used to capture CAN traffic should work for NMEA 2000 as well.

On Linux, libpcap supports capturing on CAN interfaces, so you could capture traffic going to and from the machine; I don't know whether it supports passive sniffing or not.

On Windows, apparently a company named 8devices has an extcap module that can be used to capture CAN traffic using their USB2CAN devices. They may also support it on Linux, although that might require additional software (libpcap changes, extcap module) from a third party.

As for dissecting the traffic, Wireshark can dissect CAN traffic, but might not support dissecting the rest of the NMEA 2000 stack. There's no person or persons responsible for developing Wireshark dissection capabilities - new protocol support is added if somebody decides to write code for the protocol - so somebody will be developing it only if they decide to do that.

edit flag offensive delete link more

Comments

Guy,

Thanks so much for the information and clarification! I'm brand new to the Wireshark community and you gave me great information in a very short amount of time.

Perdog gravatar imagePerdog ( 2020-06-21 01:14:39 +0000 )edit

NMEA is something I once had a casual interest in - see Bug 6155.

Before anyone could reasonably write a dissector for this traffic, protocol specs and sample capture files are a must. Even with those things, there are no guarantees that anyone would write one, but that'd be the first step. The protocol specification may be publicly available, in which case a link to it would be helpful.

I no longer have the free time I used to enjoy, so please don't expect any commitment from me personally ... but on the other hand, it's not entirely out of the question that I might work on something like this either. Maybe opening a Wireshark Bug Report with links to specs, sample packet captures would be a good start.

cmaynard gravatar imagecmaynard ( 2020-06-21 02:00:08 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-06-20 23:34:33 +0000

Seen: 105 times

Last updated: Jun 21