Snort mailing list archives
Re: Analyze controller area network traffic
From: Bill Parker <wp02855 () gmail com>
Date: Wed, 15 Jul 2015 09:34:45 -0700
If this is what you're referring to, I don't believe that it is currently supported in Snort: http://www.can-cia.org/index.php?id=systemdesign-can-protocol Here is a subset of what I found: A CAN base frame message begins with the start bit called "Start Of Frame (SOF)", this is followed by the "Arbitration field" which consist of the identifier and the "Remote Transmission Request (RTR)" bit used to distinguish between the data frame and the data request frame called remote frame. The following "Control field" contains the "IDentifier Extension (IDE)" bit to distinguish between the CAN base frame and the CAN extended frame, as well as the "Data Length Code (DLC)" used to indicate the number of following data bytes in the "Data field". If the message is used as a remote frame, the DLC contains the number of requested data bytes. The "Data field" that follows is able to hold up to 8 data byte. The integrity of the frame is guaranteed by the following "Cyclic Redundant Check (CRC)" sum. The "ACKnowledge (ACK) field" compromises the ACK slot and the ACK delimiter. The bit in the ACK slot is sent as a recessive bit and is overwritten as a dominant bit by those receivers, which have at this time received the data correctly. Correct messages are acknowledged by the receivers regardless of the result of the acceptance test. The end of the message is indicated by "End Of Frame (EOF)". The "Intermission Frame Space (IFS)" is the minimum number of bits separating consecutive messages. Unless another station starts transmitting, the bus remains idle after this. Extended Frame Format: The difference between an extended frame format message and a base frame format message is the length of the identifier used. The 29-bit identifier is made up of the 11-bit identifier (“base identifier”) and an 18-bit extension (“identifier extension”). The distinction between CAN base frame format and CAN extended frame format is made by using the IDE bit, which is transmitted as dominant in case of an 11-bit frame, and transmitted as recessive in case of a 29-bit frame. As the two formats have to co-exist on one bus, it is laid down which message has higher priority on the bus in the case of bus access collision with different formats and the same identifier / base identifier: The 11-bit message always has priority over the 29-bit message. The extended format has some trade-offs: The bus latency time is longer (in minimum 20 bit-times), messages in extended format require more bandwidth (about 20 %), and the error detection performance is lower (because the chosen polynomial for the 15-bit CRC is optimized for frame length up to 112 bits). CAN controllers, which support extended frame format messages are also able to send and receive messages in CAN base frame format. CAN controllers that just cover the base frame format do not interpret extended frames correctly. However there are CAN controllers, which only support the base frame format but recognize extended messages and ignore them. Bill On Wed, Jul 15, 2015 at 7:08 AM, Chester Li <chester.lee.cold () gmail com> wrote:
Hi! I am trying to use Snort to analyze traffic on a Controller Area Network (CAN) interface, but getting an error message “Cannot decode data link type 227”, which is CAN protocol. Do we have such a feature to support CAN traffic analysis other than TCP/IP traffic? Thank you!!! Chester ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Analyze controller area network traffic Chester Li (Jul 15)
- Re: [Snort-devel] Analyze controller area network traffic Y M (Jul 15)
- Re: [Snort-devel] Analyze controller area network traffic Al Lewis (allewi) (Jul 15)
- Message not available
- Re: [Snort-devel] Analyze controller area network traffic snort (Jul 15)
- Message not available
- Re: [Snort-devel] Analyze controller area network traffic snort (Jul 15)
- Re: [Snort-devel] Analyze controller area network traffic Y M (Jul 15)