Ask Your Question
0

Duplicate CAN Messages in tshark trace

asked 2025-02-12 08:01:18 +0000

Florian gravatar image

updated 2025-02-12 08:04:40 +0000

Hello everyone,

I observe a behavior that all CAN TX messages appears twice in the generated trace and I have no explanation for that why this happens. I don't see that this behavior with candump.

I wrote a little bash script that sends every second the same CAN message. The message appears every second in the candump log and in the tshark log I see the CAN message twice in the same seconds with couple of microseconds delay.

I have tested this with the wireshark version 3.6.2 and 4.2.9

candump log:
(2023-12-29 02:17:54.250846) can0 TX - - 123 [4] DE AD BE EF
(2023-12-29 02:17:55.253027) can0 TX - - 123 [4] DE AD BE EF
(2023-12-29 02:17:56.255209) can0 TX - - 123 [4] DE AD BE EF
(2023-12-29 02:17:57.258906) can0 TX - - 123 [4] DE AD BE EF

tsharklog:
1 2023-12-29 02:17:54.250507696 ? CAN 32 ID: 291 (0x123), Length: 4
2 2023-12-29 02:17:54.250846188 ? CAN 32 ID: 291 (0x123), Length: 4
3 2023-12-29 02:17:55.252689942 ? CAN 32 ID: 291 (0x123), Length: 4
4 2023-12-29 02:17:55.253027513 ? CAN 32 ID: 291 (0x123), Length: 4
5 2023-12-29 02:17:56.254869874 ? CAN 32 ID: 291 (0x123), Length: 4
6 2023-12-29 02:17:56.255209782 ? CAN 32 ID: 291 (0x123), Length: 4

I looked through the different man pages of dumpcap and tshark but I don't found any option to get the same behavior as with candump. Maybe I oversaw something.

Does anybody have an idea or run into the same problem and knows how to fix that? Every help is very appreciate.

Best Regards

Florian

edit retag flag offensive close merge delete

Comments

Please add the tshark command line used for capture and the output of tshark -v.

Chuckc gravatar imageChuckc ( 2025-02-12 14:31:28 +0000 )edit

Hey, here are the missing calls:

For capturing I simply call:

tshark -i <can-interface> -t ad

and the output of tshark -v: 

TShark (Wireshark) 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Copyright 1998-2022 Gerald Combs [email protected] and contributors. License GPLv2+: GNU GPL version 2 or later https://www.gnu.org/licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using GCC 11.2.0, with libpcap, with POSIX capabilities (Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua 5.2.4, with GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4, with Zstandard, with Snappy ...
(more)
Florian gravatar imageFlorian ( 2025-02-13 06:51:22 +0000 )edit

Are you capturing on the the system running the "bash script that sends"?
Is it possible you are capturing the transmit and the receive with tshark?

Chuckc gravatar imageChuckc ( 2025-02-13 12:37:28 +0000 )edit

Yes, the scripts runs on the same system. Sadly it's not possible to the get the message direction to see if it is TX or RX message.

But I would assume when I receive my TX message it would also show up in "candump" log. From the timestamp point of view the duplicated message from tshark appears before. As you can see in the logs from my question. My assumption is that tshark also reads an additional cache?

Florian gravatar imageFlorian ( 2025-02-14 09:45:09 +0000 )edit

Can you share a packet capture?

Chuckc gravatar imageChuckc ( 2025-02-14 12:16:53 +0000 )edit
see more comments

1 Answer

Sort by ยป oldest newest most voted
0

answered 2025-02-15 20:56:21 +0000

Guy Harris gravatar image

Running on Linux 6.5.0-15-generic, ... with libpcap 1.10.1

Libpcap 1.10.1 was released on 2021-06-09: https://www.tcpdump.org/old_releases....

Libpcap issue #1051 "Duplicated CAN packages" was opened on 2021-09-22.

The fix for that issue was committed in the main branch on 2021-09-23 and was committed in the 1.10 branch on the same date.

So that fix was not in libpcap 1.10.1. It was in libpcap 1.10.2.

So you need to have libpcap 1.10.2 or later.

Is this some Linux distribution and, if so, what distribution and what version? Perhaps they have an update to libpcap to update it to a newer 1.10.x version; if so, you should update the libpcap package.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2025-02-12 08:01:18 +0000

Seen: 71 times

Last updated: Feb 15

Related questions

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

Proprietary CAN dissector - dissector is never called

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt