At 22:29 05.06.2023, Guy Harris wrote:
>On Jun 5, 2023, at 3:43 AM, Fabian Cenedese <Cenedese@xxxxxxxx> wrote:
>
>> We're using CAN bus as protocol and I implemented a capture
>> to save the sent and received frames into a .pcapng file.
>
>So presumably that's using LINKTYPE_CAN_SOCKETCAN as the link-layer type in the IDBs, with the SocketCAN pseudo-header:
>
> https://www.tcpdump.org/linktypes/LINKTYPE_CAN_SOCKETCAN.html
I also tried CAN20B (190), but now I'm using SOCKETCAN (227) as this
worked better.
>> I can
>> load it in Wireshark and the frames are displayed as CAN which
>> is correct. However the fields are only shown as identifier and
>> data bytes which doesn't say much yet.
>
>I.e., a SocketCAN header with ID, flags, and frame length, followed by an undissected Data field?
Yes.
>> I would like to add a custom dissector that will interpret the CAN
>> fields further down. The identifier needs to be broken down into
>> two separate fields
>
>I.e., you need to redissect the ID field as having two separate subfields?
This is a dumping tool for an existing customer application that is based
on CAN. However they didn't follow any open protocol and implemented
it a bit different. The ID includes both a node ID as well as a command
(5+6 bits). Also the first data byte is combined of two fields (2+6 bits). To
better make out the values I wanted to see them in Wireshark directly as
they are cumbersome to calculate in the head from the bytes.
>If by "script" you mean "dissector written in Lua rather than C", that's going to be a bit tricky; subdissectors called by the SocketCAN dissector are passed a pointer to a structure that includes, among other things, the ID, but that's a C structure, and we don't currently have a good way to pass information to Lua subdissectors.
I just assumed that lua is the fastest or easiest way to go, but I could
also create a dll if that is better.
>> as well as the first data byte.
>>
>> How would I register this dissector as it doesn't use an Ethernet
>> port?
>
>Not sure what an "Ethernet port" is, but various dissectors that call subdissectors have dissector tables using various keys, such as Ethernet types, TCP or UDP ports, and so on.
Exactly, always Ethernet related.
>The SocketCAN dissector has two tables, named "can.id <http://can.id/>" and "can.extended_id", which use the un-extended 11-bit ID field and the extended 29-bit ID field, respectively, as keys. They use the entire ID field, not a subfield of the ID field. It should be possible to register either a C or Lua dissector in that table.
Sounds promising, I'll try that.
>> I'm happy if I can use it in the "Decode As" menu, it
>> doesn't need to be applied automatically.
>
>You could use dissector_add_for_decode_as() for a C dissector, or dissectortable:add_for_decode_as() for a Lua dissector, to register in the "can.subdissector" table; using "Decode As..." to specify that dissector would cause all undissected CAN data to be passed that data.
I'm not in office on Tuesday but I will try when I get back. Thanks for
your help.
bye Fabi