Wireshark-bugs: [Wireshark-bugs] [Bug 12687] SocketCAN dissector does not support CAN FD
Date: Sat, 20 Aug 2016 23:53:20 +0000
Comment # 35
on bug 12687
from Guy Harris
(In reply to Oliver Hartkopp from comment #32) > (In reply to Michael Mann from comment #30) > > (In reply to Oliver Hartkopp from comment #29) > > > > The two SLL types are not really relevant for CAN application programmers. > > > It's a Linux internal thing which only becomes visible when programming > > > PF_PACKET sockets. > > > > > > For that reason my suggested changes to libpcap make sense to me as they are > > > using PF_CAN sockets to get the CAN frames - and this would be a reasonable > > > extension then. > > > > I think I'll leave the SLL support in there for now for the same reason the > > other SLL types are supported - people may use them, even if it's > > "internal". If the flag becomes an issue, we can worry about it then. > > I took a deeper look into libpcap to (hopefully) get behind the concepts. > > libpcap can use PF_PACKET sockets or protocol specific sockets (e.g. PF_CAN) > to get PDUs. With PF_PACKET sockets you are able to filter for both ETH_P_ > types like ETH_P_CAN and ETH_P_CANFD which would have matching > LINUX_SLL_P_CAN[FD] types in wireshark. > > BUT in fact CAN interfaces (ARPHRD_CAN = 280) are handled with PF_CAN RAW > sockets. They're handled with PF_CAN RAW sockets if the name provided as the interface name begins with "can" or "vcan", followed by a number. > The PDUs read from the socket are provided by libpcap as link type > DLT_CAN_SOCKETCAN ("CAN-bus with SocketCAN headers") to be used e.g. by > Wireshark which takes this data source and tags it as LINUX_SLL_P_CAN. No, actually, it doesn't. It maps LINKTYPE_CAN_SOCKETCAN to WTAP_ENCAP_SOCKETCAN in libwiretap, and the SocketCAN dissector registers to handle WTAP_ENCAP_SOCKETCAN in the "wtap_encap" dissector table, so that all packets with that encapsulation type are handed to it. (And it now maps LINKTYPE_CAN_SOCKETCAN_BIGENDIAN to WTAP_ENCAP_SOCKETCAN_BIGENDIAN, and maps LINKTYPE_CAN_SOCKETCAN_HOSTENDIAN to WTAP_ENCAP_SOCKETCAN_HOSTENDIAN, both of which are handled by the SocketCAN dissector, as per my other comment.) The SocketCAN dissector *also* registers to handle LINUX_SLL_P_CAN in the "sll.ltype" dissector table, so that all packets with an encapsulation type of WTAP_ENCAP_SLL (Linux "cooked" captures) and a "protocol" type of LINUX_SLL_P_CAN (= ETH_P_CAN) are handed to it. It does *not* register for ETH_P_CANFD packets, and won't see them, in Linux "cooked" captures. > With CAN FD we now have two options: > > 1. Create a second link type DLT_CANFD_SOCKETCAN and provide a separate data > source to Wireshark. Additionally libpcap could be moved to use PF_PACKET > too. On the topic of "[moving] libpcap to use PF_PACKET [for CAN]": As indicated, there are several code paths through libpcap that can provide CAN frames. >From a quick look at the Linux networking stack, CAN and AF_PACKET division (once more unto the breach, dear friends, once more...), it appears that the SocketCAN pseudo-header (struct can_frame and struct canfd_frame) is *not* treated as a MAC header and is thus *not* stripped if you're receiving packets from a PF_PACKET/SOCK_DGRAM socket, i.e. from a Linux "cooked" capture. It appears that CAN interfaces (interfaces with an arphrd type of ARPHRD_CAN) have names that begin with "can" or "can" followed by a number, so, if it's possible, with *all* versions of the Linux kernel that support PF_CAN, to bind either an PF_CAN/SOCK_RAW socket or a PF_PACKET/SOCK_DGRAM or PF_PACKET/SOCK_RAW socket to one of those devices, and if there's no advantage to sniffing with a PF_CAN socket, then we might as well just remove pcap-can-linux.c, and let pcap-linux.c handle CAN interfaces. Then, if there's a reason why classic CAN and CAN FD frames *from SocketCAN* - i.e., with a struct can_frame/struct canfd_frame header - should be dissected differently, then we should probably map ARPHRD_CAN to DLT_LINUX_SLL. That way, the capture will be done as a "cooked" capture, meaning that the "protocol" field of the "cooked" header will be ETH_P_CAN for "classic" CAN frames and ETH_P_CANFD for CAN FD frames, allowing the dissector to distinguish between them. In that case, the SocketCAN dissector would register in the "sll.ltype" table with the value of ETH_P_CANFD, and the dissector for *that* would pass to the common dissector code a flag indicating that it's a CAN FD frame, with the existing dissectors passing a flag indicating that it's a "classic CAN" frame. On the other hand, if there *isn't* a reason to dissect them differently, we don't need to worry about distinguishing "classic" CAN frames from CAN FD frames. However, that all leaves unanswered the question of what to do about CANUSB devices. What would we need to do to pcap-canusb-linux.c? > 2. Enhance the PDU that contain the current CAN frames to be able to > transport CAN FD frames too. This kind of tunnelling from libpcap to > Wireshark is currently done with the CANFD_USE bit - and that's why this bit > must not show up in the Wiresharks proto bits. "Currently" presumably meaning "with your changes to pcap-can-linux.c". CANFD_USE is defined to be 0x04, which, in the CAN ID/flags field, is one of the CAN ID bits; is that bit guaranteed not to be set in the CAN ID? > As you can see from our patches option 2 is obviously easy to do. > But is it the right way to go?
You are receiving this mail because:
- You are watching all bug changes.
- Prev by Date: [Wireshark-bugs] [Bug 12771] Buildbot crash output: fuzz-2016-08-20-18156.pcap
- Next by Date: [Wireshark-bugs] [Bug 12687] SocketCAN dissector does not support CAN FD
- Previous by thread: [Wireshark-bugs] [Bug 12687] SocketCAN dissector does not support CAN FD
- Next by thread: [Wireshark-bugs] [Bug 12687] SocketCAN dissector does not support CAN FD
- Index(es):