Are you looking for a simple, yet powerful CAN bus sniffer to hack your vehicle data?
Sniffing, hacking and reverse engineering the CAN bus is a popular with hobbyists - cf. e.g. Hackaday for great CAN bus hacks!
Here, we show how our CANLoggerX000 can act as a CAN bus sniffer via the popular network analyzer Wireshark. Further, we show how our plugin feature, CAN Live, offers great free CAN sniffer software for reverse engineering raw CAN data.
For a quick intro, check out our 2 min video above!
For a guide on how to get started, we recommend our article on streaming OBD2 data with Wireshark.
In short, you’ll need a CANLoggerX000, a DB9-to-OBD2 connector, our free CANvas software, Wireshark and our Wireshark Plugin.
This article is based on data streamed from a Peugeot 207
Once you’ve connected the CAN bus sniffer to the OBD2-connector and your PC, simply open CANvas and choose the ‘Live Stream Data’ mode.
Here, choose Wireshark Legacy mode in the drop-down, click Connect and Start to begin streaming packets.
The plugin has been developed to work optimally with the CANLoggerX000, but we offer it freely to allow people to check it out. If you wish to share it, please reference our website.
Now you may be thinking: "Wow, easy on the CAN packet data feed!"
This is how you solve that:
Once you’ve started streaming, you’ll find that the CAN messages appear at a fast rate in the live stream regular view. To hack your car and sniff packets for reverse engineering CAN messages, it is key that you can identify links between physical events (e.g. driving forward) and the response in the raw CAN bus data.
To do so, you can open the CAN Live window from the Statistics tab. Doing so brings up a window with all unique CAN IDs present in the data streamed so far.
For each CAN ID, you will find the following info fields available:
Notice the blue colorization in the video / images?
These reflect when a given data byte is changing value and fade out as the byte stays constant. This is useful when comparing the data versus physical events (e.g. turning on the car wipers).
Still, that's quite a lot of data to review!
Luckily, CAN Live allows you to hide CAN IDs that are not relevant to your analysis!
Simply click the Hide check-mark to the left and the ID will disappear until you reopen the window. This allows you to reduce complexity and get a clean slate for physical event testing.
For example, you can hide all the IDs that appear when your car is standing still with the ignition turned on.
Once you then start driving, you will start to see IDs related to that “delta event” alone - which makes it far easier to separate IDs.
Another cool feature is “auto trimming” which is turned on by default:
This feature removes all IDs that do not have changing data bytes for a specified amount of time to help ensure focus.
To customize the window, you can go to Edit/Preferences/Statistics/CAN Live to specify a key options:
Data bytes to include in ID: For most applications this should be set to 0 - but if you e.g. want to look at OBD2, you need to add the first 3 data bytes to get the unique ID.
Change highlighter decay rate (frames): This specifies the speed at which the color highlight dissapears - the higher #frames, the slower the decay.
Automatically hide IDs with no change: Enabling this means that IDs will be hidden from view if they do not have changing data bytes for a duration specified in the settings.
A number of features makes the CANLoggerX000 viable for CAN sniffing:
Beyond the CAN Live reflected in this article, the Wireshark plugin also provides an OBD2 decoder (to stream and plot converted OBD2 data) and an OBD2 Live view that works similarly to the above, but for converted OBD2 data. Further, we've added support for DBC conversion (incl. J1939).
We are quite passionate for the solution we’ve put together for CAN sniffing purposes and we believe it matches some far more expensive hardware/software combinations. However, we want to learn how we can improve it further and build new features to help CAN hacker enthusiasts - let us know what we should add!
For more similar articles, check out our INTEL page.
Liked this article? Please share!
HOW TO TRANSMIT CAN BUS MESSAGES: OBD-II PID EXAMPLE
CAN BUS INTERFACE: STREAMING OBD2 DATA WITH WIRESHARK
DBC CAN BUS CONVERSION IN WIRESHARK: J1939 EXAMPLE