Wireshark-users: Re: [Wireshark-users] Custom CAN dissector script

From: Guy Harris <gharris@xxxxxxxxx>
Date: Mon, 5 Jun 2023 13:29:49 -0700
On Jun 5, 2023, at 3:43 AM, Fabian Cenedese <Cenedese@xxxxxxxx> wrote:

> We're using CAN bus as protocol and I implemented a capture
> to save the sent and received frames into a .pcapng file.

So presumably that's using LINKTYPE_CAN_SOCKETCAN as the link-layer type in the IDBs, with the SocketCAN pseudo-header:

	https://www.tcpdump.org/linktypes/LINKTYPE_CAN_SOCKETCAN.html

> I can
> load it in Wireshark and the frames are displayed as CAN which
> is correct. However the fields are only shown as identifier and
> data bytes which doesn't say much yet.

I.e., a SocketCAN header with ID, flags, and frame length, followed by an undissected Data field?

> I would like to add a custom dissector that will interpret the CAN
> fields further down. The identifier needs to be broken down into
> two separate fields

I.e., you need to redissect the ID field as having two separate subfields?

If by "script" you mean "dissector written in Lua rather than C", that's going to be a bit tricky; subdissectors called by the SocketCAN dissector are passed a pointer to a structure that includes, among other things, the ID, but that's a C structure, and we don't currently have a good way to pass information to Lua subdissectors.

> as well as the first data byte.
> 
> How would I register this dissector as it doesn't use an Ethernet
> port?

Not sure what an "Ethernet port" is, but various dissectors that call subdissectors have dissector tables using various keys, such as Ethernet types, TCP or UDP ports, and so on.

The SocketCAN dissector has two tables, named "can.id <http://can.id/>" and "can.extended_id", which use the un-extended 11-bit ID field and the extended 29-bit ID field, respectively, as keys.  They use the entire ID field, not a subfield of the ID field.  It should be possible to register either a C or Lua dissector in that table.

> I'm happy if I can use it in the "Decode As" menu, it
> doesn't need to be applied automatically.

You could use dissector_add_for_decode_as() for a C dissector, or dissectortable:add_for_decode_as() for a Lua dissector, to register in the "can.subdissector" table; using "Decode As..." to specify that dissector would cause all undissected CAN data to be passed that data.