CAN Bus Sniffer - Reverse Engineering Vehicle Data (Wireshark)

Looking to reverse engineer your vehicle data?

Decoding the CAN bus is popular with car hacking hobbyists and for commercial needs (e.g. converting proprietary J1939 data).

Here, you'll see how the CLX000 works as a CAN bus sniffer via Wireshark.

Further, we show how our 'CAN Live' feature works as a great free CAN sniffing tool!

CAN bus hacking car vehicle reverse engineering

For a quick intro, check out the 3 min video above!

CAN Bus Reverse Engineering - A (Very) Simple Intro

Before we get practical, let's illustrate how vehicle reverse engineering can be done.

First, note that vehicle sniffing has many applications - see below examples:

Despite the diversity, we've generalized 3 core steps to vehicle hacking below:

How to Hack a Car Step 1 Can-to-USB


Let's say you desperately need to log data from your windscreen wipers. To do so, you first need to identify what CAN ID contains your wiper data. Two methods exist for this:

  1. Log CAN data to an SD - and compare vs. the timing of physical events (e.g. wiper on/off)
  2. Stream CAN data live - and look for correlations via CAN sniffer software in real-time

This way you can "trim away" irrelevant IDs until you find the wiper CAN ID.

Sniff Car Network ECU CAN Signal - Car Wipers, RPM, Speed, Fuel


Great! Now you know what CAN ID reacts to your windscreen wipers.

Next, you'll locate the wiper CAN signal amongst the 64 CAN data bits.

To do so, analyse how the data bits react to the physical event (e.g. starting byte-by-byte).

Example: You may find that Byte 2 consistently changes between two values when the wipers are on/off - while all other bytes stay constant. Byte 2 is then (probably) the wiper signal.

CAN Bus Sniffer Software Tool Graph Scale Offset Spoof


Once you know the bit position & length of your CAN signal, it's time to "scale it" via a linear combination of Offset and Scale factors. If this is new to you, check our intro to CAN bus.

In the wiper case, the signal may be a boolean (on/off) - and you'd set Offset = 0 and Scale = 1.

In other cases, like RPM, you'd follow below steps:

  • Plot the decimal data vs. a "manual" plot of data on the real RPM vs. time
  • Next, assume a zero offset, "overlay" the two plots and "match them" by adjusting the Scale
  • Finally, set the Offset to ensure a clean overlap between the graphs

This is easier if you can log smooth transitions from MIN to MAX of the parameter.

Also, if your parameters have OBD2 equivalents (e.g. RPM, Speed, ...), it's helpful to compare the logged OBD2 data for faster analysis.

While the above is heavily simplified, it should be clear:

Hacking even a single CAN bus signal takes skill - and time!

We suggest you store the decoded CAN conversion rules in a CAN .DBC file for easy use in CAN software.

For more detailed tutorials on CAN hacking, check the below links:

Below, we list a range of useful guides for vehicle reverse engineering:

  • Hackaday: Great set beginner tutorials on how to hack your CAN bus
  • Kenny Kuchera: Cool step-by-step guide to hacking a car (incl. good deep-dives)
  • Alexandre Blin: Awesome 'backup camera' vehicle hack with an exciting walkthrough
  • Open Garages: Great video intros to CAN bus reverse engineering

Next, let's show how you can do step 1# and 2# in practice using the CLX000 in Wireshark:

Streaming Raw CAN Bus Data in Wireshark

For a guide on how to get started with Wireshark, see our article on streaming OBD2 data with Wireshark

You'll need the below:

Wireshark Vehicle Reverse Engineering How To Tips Basics

To get started, follow the below steps:

  1. Power your CLX000 CAN decoder via the OBD2 socket
  2. Connect your PC to the CLX000 via USB
  3. Open CANvas and go to LIVE STREAM DATA
  4. Click 'Connect Logger' and then 'Start'

The above opens up Wireshark and starts streaming raw CAN bus data on your PC (see the GIF example).

How To Reverse Engineer CAN Data using 'CAN Live'

Now you may be thinking: "Wow, that's a lot of CAN packets!"

By default, Wireshark simply provides you with an unfiltered stream of raw CAN bus data.

You've got many tools for analyzing this, incl. filtering, column configuration, plots and more.

However, here we focus on the 'CAN Live' plugin feature - which allows you to show a 'trace' of your data.

To open this view, click Statistics/CAN Live IDs when streaming - this brings up the below window:

CAN Bus Reverse Engineering Software Tool CAN Live ID

As evident, this view shows one row for each broadcasted CAN ID - providing a great overview for CAN bus hacking.

For each CAN ID, a number of data fields are shown:

  • Count: Number of times the CAN ID has been observed in the data
  • Frame No: Frame number of the latest observation of the ID
  • Time (s): Time of the latest observation of the ID (since start of streaming)
  • Period Time (s): Time between the latest ID and the previous ID observation
  • CAN ID: HEX value of the CAN ID
  • D0-D7: The 8 data bytes of the CAN message (in HEX)
  • Frame No. (Last Change): Frame of last different valued occurrence of the ID 
  • Time (Last Change) (s): Time since start-of-streaming and the latest change in the ID

Notice the blue colorization above?

When a CAN bus data byte changes, it's colored blue - and the color fades as the byte stays constant.

This is useful when comparing raw CAN bus data versus physical events (e.g. turning on the car wipers).

In fact, this type of CAN sniffer software is vital to reverse engineering steps 1# and 2#.

Hiding CAN IDs to simplify CAN bus reverse engineering

Still, the default CAN Live view has quite a lot of data!

Luckily, you can easily "hide CAN IDs" that are not relevant.

Simply click the 'Hide check-mark' to the left and the ID will disappear until you reopen the window. This lets you reduce complexity and get a clean slate for physical event testing. 

For example, you can hide all the IDs that appear when your car is standing still with the ignition turned on. 

Once you start driving, you'll see the “delta event IDs” only - making it easier to link IDs to correlated physical events.

Another useful feature is "auto trimming" (on by default):

This feature removes all IDs that do not have changing data bytes for a specified amount of time to help ensure focus.

CAN Analyzer CL3000 Stream Data Real Time

BONUS TIP: You can also load CLX000 log files into Wireshark, save them as *.pcap files and then "simulate" streaming of the data using e.g. a Ruby script. This way you can also do post analysis of your data using CAN Live.

Finally, for details on configuring the CAN Live settings click below:

CAN Bus Decoder Sniffer Software

To customize the CAN Live window, you can go to Edit/Preferences/Statistics/CAN Live to specify a key options:

Data bytes to include in ID: For most applications this should be set to 0 - but if you e.g. want to look at OBD2, you need to add the first 3 data bytes to get the unique ID.

Change highlighter decay rate (frames): This specifies the speed at which the color highlight dissapears - the higher #frames, the slower the decay.

Automatically hide IDs with no change: Enabling this means that IDs will be hidden from view if they do not have changing data bytes for a duration specified in the settings. 


Why use the CLX000 for CAN Sniffing?

A number of features makes the CLX000 CAN bus analyzer great for CAN sniffing:

Ready to start reverse engineering your CAN bus?
Then get your CLX000 CAN sniffer below!

 Liked this article? Please share!


We use cookies to improve our site (see our privacy policy)