At 22:29 05.06.2023, Guy Harris wrote:

>On Jun 5, 2023, at 3:43 AM, Fabian Cenedese <cened...@indel.ch> wrote:
>
>> We're using CAN bus as protocol and I implemented a capture
>> to save the sent and received frames into a .pcapng file.
>
>So presumably that's using LINKTYPE_CAN_SOCKETCAN as the link-layer type in 
>the IDBs, with the SocketCAN pseudo-header:
>
>        https://www.tcpdump.org/linktypes/LINKTYPE_CAN_SOCKETCAN.html

I also tried CAN20B (190), but now I'm using SOCKETCAN (227) as this
worked better.

>> I can
>> load it in Wireshark and the frames are displayed as CAN which
>> is correct. However the fields are only shown as identifier and
>> data bytes which doesn't say much yet.
>
>I.e., a SocketCAN header with ID, flags, and frame length, followed by an 
>undissected Data field?

Yes.

>> I would like to add a custom dissector that will interpret the CAN
>> fields further down. The identifier needs to be broken down into
>> two separate fields
>
>I.e., you need to redissect the ID field as having two separate subfields?

This is a dumping tool for an existing customer application that is based
on CAN. However they didn't follow any open protocol and implemented
it a bit different. The ID includes both a node ID as well as a command
(5+6 bits). Also the first data byte is combined of two fields (2+6 bits). To
better make out the values I wanted to see them in Wireshark directly as
they are cumbersome to calculate in the head from the bytes.

>If by "script" you mean "dissector written in Lua rather than C", that's going 
>to be a bit tricky; subdissectors called by the SocketCAN dissector are passed 
>a pointer to a structure that includes, among other things, the ID, but that's 
>a C structure, and we don't currently have a good way to pass information to 
>Lua subdissectors.

I just assumed that lua is the fastest or easiest way to go, but I could
also create a dll if that is better.

>> as well as the first data byte.
>> 
>> How would I register this dissector as it doesn't use an Ethernet
>> port?
>
>Not sure what an "Ethernet port" is, but various dissectors that call 
>subdissectors have dissector tables using various keys, such as Ethernet 
>types, TCP or UDP ports, and so on.

Exactly, always Ethernet related.

>The SocketCAN dissector has two tables, named "can.id <http://can.id/>" and 
>"can.extended_id", which use the un-extended 11-bit ID field and the extended 
>29-bit ID field, respectively, as keys.  They use the entire ID field, not a 
>subfield of the ID field.  It should be possible to register either a C or Lua 
>dissector in that table.

Sounds promising, I'll try that.

>> I'm happy if I can use it in the "Decode As" menu, it
>> doesn't need to be applied automatically.
>
>You could use dissector_add_for_decode_as() for a C dissector, or 
>dissectortable:add_for_decode_as() for a Lua dissector, to register in the 
>"can.subdissector" table; using "Decode As..." to specify that dissector would 
>cause all undissected CAN data to be passed that data.

I'm not in office on Tuesday but I will try when I get back. Thanks for
your help.

bye  Fabi

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe

Reply via email to