This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use socketcan dissector with piped data

0

Hi

I'm using a pipe to send CAN data to Wireshark and would like to use the socketCAN dissector to interpret the data. The question is how I should send the data for socketCAN to interpret it correctly?

I am using the C# example from https://wiki.wireshark.org/CaptureSetup/Pipes to pipe the data. I have set the data link type in the global header to 125 which should be the socketCAN number ( https://github.com/wireshark/wireshark/blob/master/wiretap/wtap.h ). When I send some dummy data to Wireshark the protocol is listed as UNKNOWN and not CAN. I guess this is because the structure or length of the data is not correct. Do You know if that's true?

I have looked at the socketCAN dissector file ( https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-socketcan.c ) but still have not been able to format the data correctly.

Hope that someone is able to provide some guidance.

asked 12 Feb '17, 12:35

Degnemose's gravatar image

Degnemose
11115
accept rate: 0%

edited 16 Feb '17, 06:30


One Answer:

1

You're writing PCAP headers, so you'll need to use PCAP defined link layer types. For socketCAN this is 227, which is translated into the Wiretap library's corresponding value of .... 125.

answered 16 Feb '17, 06:58

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

You might also want to look into extcap, this "formalises" the pipe style interface such that the extcap plugins show up in the interface list and can be passed configuration parameters.

(16 Feb '17, 07:05) grahamb ♦

Thanks Jaap, that seems to do it for me. Now the protocol shows as CAN and the data structure is clear from the frame interpretation. The first 4 bytes are 3 flag bits and 29 id bits. Then 4 bytes where the first byte is the data length (the remaining 3 bytes seems to be ignored). Finally the data bytes follows.

Also thank you for the tip grahamb, I will look into that.

(16 Feb '17, 10:31) Degnemose