Wireshark-users: Re: [Wireshark-users] Custom CAN dissector script
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxx>
Date: Wed, 7 Jun 2023 15:46:02 +0000
I don't know why I'm not receiving all messages on this thread, but I'm unable to respond to the latest one from Guy, so I'm responding to this one instead. In any case, here's a simple proof-of-concept in Lua using the "Decode As" solution referenced below: local can_id = Field.new("can.id") local p_cansub = Proto.new("cansub", "CANSUB Protocol") local pf = { id0 = ProtoField.uint8("cansub.id0", "ID0", base.DEC), id1 = ProtoField.uint8("cansub.id1", "ID1", base.DEC), id2 = ProtoField.uint8("cansub.id2", "ID2", base.DEC), id3 = ProtoField.uint8("cansub.id3", "ID3", base.DEC), data = ProtoField.bytes("cansub.data", "Data", base.NONE, "The CANSub Data") } p_cansub.fields = pf function p_cansub.dissector(tvbuf, pinfo, tree) local cansub_tree local can_id_tvbr = can_id().range pinfo.cols.protocol:set("CANSUB") cansub_tree = tree:add(p_cansub, tvbuf(0, -1)) cansub_tree:add(pf.id0, can_id_tvbr(0, 1)) cansub_tree:add(pf.id1, can_id_tvbr(1, 1)) cansub_tree:add(pf.id2, can_id_tvbr(2, 1)) cansub_tree:add(pf.id3, can_id_tvbr(3, 1)) cansub_tree:add(pf.data, tvbuf()) end -- p_cansub.dissector() -- Registration DissectorTable.get("can.subdissector"):add_for_decode_as(p_cansub) Hope it helps, Chris > -----Original Message----- > From: Wireshark-users <wireshark-users-bounces@xxxxxxxxxxxxx> On > Behalf Of Fabian Cenedese > Sent: Monday, June 5, 2023 4:58 PM > To: Community support list for Wireshark <wireshark- > users@xxxxxxxxxxxxx> > Subject: Re: [Wireshark-users] Custom CAN dissector script > > At 22:29 05.06.2023, Guy Harris wrote: > > >On Jun 5, 2023, at 3:43 AM, Fabian Cenedese <Cenedese@xxxxxxxx> > wrote: > > > >> We're using CAN bus as protocol and I implemented a capture to save > >> the sent and received frames into a .pcapng file. > > > >So presumably that's using LINKTYPE_CAN_SOCKETCAN as the link-layer > type in the IDBs, with the SocketCAN pseudo-header: > > > > > https://www.tcpdump.org/linktypes/LINKTYPE_CAN_SOCKETCAN.html > > I also tried CAN20B (190), but now I'm using SOCKETCAN (227) as this > worked better. > > >> I can > >> load it in Wireshark and the frames are displayed as CAN which is > >> correct. However the fields are only shown as identifier and data > >> bytes which doesn't say much yet. > > > >I.e., a SocketCAN header with ID, flags, and frame length, followed by an > undissected Data field? > > Yes. > > >> I would like to add a custom dissector that will interpret the CAN > >> fields further down. The identifier needs to be broken down into two > >> separate fields > > > >I.e., you need to redissect the ID field as having two separate subfields? > > This is a dumping tool for an existing customer application that is based > on CAN. However they didn't follow any open protocol and implemented > it a bit different. The ID includes both a node ID as well as a command > (5+6 bits). Also the first data byte is combined of two fields (2+6 bits). To > better make out the values I wanted to see them in Wireshark directly as > they are cumbersome to calculate in the head from the bytes. > > >If by "script" you mean "dissector written in Lua rather than C", that's > going to be a bit tricky; subdissectors called by the SocketCAN dissector > are passed a pointer to a structure that includes, among other things, the > ID, but that's a C structure, and we don't currently have a good way to > pass information to Lua subdissectors. > > I just assumed that lua is the fastest or easiest way to go, but I could also > create a dll if that is better. > > >> as well as the first data byte. > >> > >> How would I register this dissector as it doesn't use an Ethernet > >> port? > > > >Not sure what an "Ethernet port" is, but various dissectors that call > subdissectors have dissector tables using various keys, such as Ethernet > types, TCP or UDP ports, and so on. > > Exactly, always Ethernet related. > > >The SocketCAN dissector has two tables, named "can.id > <http://can.id/>" and "can.extended_id", which use the un-extended 11- > bit ID field and the extended 29-bit ID field, respectively, as keys. They > use the entire ID field, not a subfield of the ID field. It should be possible > to register either a C or Lua dissector in that table. > > Sounds promising, I'll try that. > > >> I'm happy if I can use it in the "Decode As" menu, it doesn't need to > >> be applied automatically. > > > >You could use dissector_add_for_decode_as() for a C dissector, or > dissectortable:add_for_decode_as() for a Lua dissector, to register in the > "can.subdissector" table; using "Decode As..." to specify that dissector > would cause all undissected CAN data to be passed that data. > > I'm not in office on Tuesday but I will try when I get back. Thanks for your > help. > > bye Fabi CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.
- References:
- [Wireshark-users] Custom CAN dissector script
- From: Fabian Cenedese
- Re: [Wireshark-users] Custom CAN dissector script
- From: Guy Harris
- Re: [Wireshark-users] Custom CAN dissector script
- From: Fabian Cenedese
- [Wireshark-users] Custom CAN dissector script
- Prev by Date: Re: [Wireshark-users] Custom CAN dissector script
- Next by Date: Re: [Wireshark-users] Custom CAN dissector script
- Previous by thread: Re: [Wireshark-users] Custom CAN dissector script
- Next by thread: Re: [Wireshark-users] Custom CAN dissector script
- Index(es):