Reverse Engineering CAN Bus Messages with Wireshark

Are you looking for a simple, yet powerful CAN bus sniffer to hack your vehicle data?

Sniffing, hacking and reverse engineering the CAN bus is a popular with hobbyists - cf. e.g. Hackaday for great CAN bus hacks!

Here, we show how our CLX000 can act as a CAN bus sniffer via the popular network analyzer Wireshark
Further, we show how our plugin feature, CAN Live, offers great free CAN sniffer software for reverse engineering raw CAN data.

CAN bus hacking car vehicle reverse engineering

For a quick intro, check out our 3 min video above, neatly illustrating the Wireshark plugin features in practice!

How to sniff CAN bus Packets with Wireshark

For a guide on how to get started, we recommend our article on streaming OBD2 data with Wireshark

In short, you’ll need a CLX000, a DB9-to-OBD2 connector, our free CANvas software, Wireshark and our Wireshark Plugin.


We use a CLX000 CAN sniffer in a Peugeot 207

Once you’ve connected the CAN bus sniffer to the OBD2-connector and your PC, simply open CANvas and choose the ‘Live Stream Data’ mode. 

Here, choose Wireshark Legacy mode in the drop-down, click Connect and Start to begin streaming packets.

The plugin has been developed to work optimally with the CLX000, but we offer it freely to allow people to check it out. If you wish to share it, please reference our website.

Using the CAN Live plugin feature

Now you may be thinking: "Wow, that's a lot of packets!"

Honestly, the default Wireshark view can be hard to work with. This is how you solve that:

Once you’ve started streaming, you’ll find that the CAN messages appear at a fast rate in the live stream regular view. To hack your car and sniff packets for reverse engineering CAN messages, it is key that you can identify links between physical events (e.g. driving forward) and the response in the raw CAN bus data.

To do so, you can open the CAN Live window from the Statistics tab. Doing so brings up a window with all unique CAN IDs present in the data that the CAN sniffer has recorded so far.

For each CAN ID, you will find the following info fields available:

  • Count: This counts the number of times the ID has occurred in the data
  • Frame No: Frame number of the last occurrence of the ID in the stream
  • Time (s): This provides the time of occurrence of the ID since streaming started
  • Period (s): Time since the last ID occurrence, regardless of the data values
  • CAN ID: This shows the HEX value of the CAN ID
  • D0-D7: This shows the eight HEX data bytes of the CAN message
  • Frame No. (Last Change): Frame of last different valued occurrence of the ID 

Notice the blue colorization in the video / images?

These reflect when a given CAN bus data byte is changing value and fade out as the byte stays constant. This is useful when comparing the CAN bus data versus physical events (e.g. turning on the car wipers).

Analyzing these patterns comprise the basics of CAN bus hacking.

Hiding CAN IDs to simplify CAN bus reverse engineering

Still, that's quite a lot of data to review!

Luckily, CAN Live allows you to hide CAN IDs that are not relevant to your analysis!

Simply click the Hide check-mark to the left and the ID will disappear until you reopen the window.
This allows you to reduce complexity and get a clean slate for physical event testing. 

For example, you can hide all the IDs that appear when your car is standing still with the ignition turned on. 

Once you then start driving, you will start to see IDs related to that “delta event” alone - which makes it far easier to separate IDs.

Another cool feature is “auto trimming” which is turned on by default:

This feature removes all IDs that do not have changing data bytes for a specified amount of time to help ensure focus.

By leveraging these features, you'll be a pro CAN bus decoder in no time!


Changing the Settings

To customize the window, you can go to Edit/Preferences/Statistics/CAN Live to specify a key options:

Data bytes to include in ID: For most applications this should be set to 0 - but if you e.g. want to look at OBD2, you need to add the first 3 data bytes to get the unique ID.

Change highlighter decay rate (frames): This specifies the speed at which the color highlight dissapears - the higher #frames, the slower the decay.

Automatically hide IDs with no change: Enabling this means that IDs will be hidden from view if they do not have changing data bytes for a duration specified in the settings. 


Why use the CLX000 for CAN bus reverse engineering?

A number of features makes the CLX000 viable for CAN sniffing:

  • The logger starts at 169 EUR with free shipping, making it highly affordable
  • The CANvas software, Wireshark and our plugin are all 100% free
  • Wireshark is an extremely popular platform and plugins are easy to build & extend
  • The logger is plug-and-play - no coding or configuration is needed to start streaming
  • The CLX000 also allows you to transmit e.g. OBD2 requests for use in the analyses
  • Contrary to most CAN bus interfaces, the CLX000 is also a CAN logger with 8GB SD card
  • The time-stamp provided in Wireshark by the logger is more exact vs. the PC time 

Overall, a lot of our users have tried e.g. Arduino boards, but choose the CLX000 as the simpler CAN bus hacking alternative.

Closing Remarks

Beyond the CAN Live reflected in this article, the Wireshark plugin also provides an OBD2 decoder (to stream and plot converted OBD2 data) and an OBD2 Live view that works similarly to the above, but for converted OBD2 data. Further, we've added support for DBC conversion (incl. J1939).

We are quite passionate for the solution we’ve put together for CAN sniffing purposes and we believe it matches some far more expensive hardware/software combinations. However, we want to learn how we can improve it further and build new features to help CAN hacker enthusiasts - let us know what we should add!

For more similar articles, check out our GUIDES page.

We use cookies to improve our site (see our privacy policy)