[Snort-devel] Analyze controller area network traffic

Bill Parker wp02855 at ...2499...
Wed Jul 15 12:34:45 EDT 2015

If this is what you're referring to, I don't believe that it is currently
supported in Snort:


Here is a subset of what I found:

A CAN base frame message begins with the start bit called "Start Of Frame
(SOF)", this is followed by the "Arbitration field" which consist of the
identifier and the "Remote Transmission Request (RTR)" bit used to
distinguish between the data frame and the data request frame called remote
frame. The following "Control field" contains the "IDentifier Extension
(IDE)" bit to distinguish between the CAN base frame and the CAN extended
frame, as well as the "Data Length Code (DLC)" used to indicate the number
of following data bytes in the "Data field". If the message is used as a
remote frame, the DLC contains the number of requested data bytes. The
"Data field" that follows is able to hold up to 8 data byte. The integrity
of the frame is guaranteed by the following "Cyclic Redundant Check (CRC)"
sum. The "ACKnowledge (ACK) field" compromises the ACK slot and the ACK
delimiter. The bit in the ACK slot is sent as a recessive bit and is
overwritten as a dominant bit by those receivers, which have at this time
received the data correctly. Correct messages are acknowledged by the
receivers regardless of the result of the acceptance test. The end of the
message is indicated by "End Of Frame (EOF)". The "Intermission Frame Space
(IFS)" is the minimum number of bits separating consecutive messages.
Unless another station starts transmitting, the bus remains idle after this.

Extended Frame Format:

The difference between an extended frame format message and a base frame
format message is the length of the identifier used. The 29-bit identifier
is made up of the 11-bit identifier (“base identifier”) and an 18-bit
extension (“identifier extension”). The distinction between CAN base frame
format and CAN extended frame format is made by using the IDE bit, which is
transmitted as dominant in case of an 11-bit frame, and transmitted as
recessive in case of a 29-bit frame. As the two formats have to co-exist on
one bus, it is laid down which message has higher priority on the bus in
the case of bus access collision with different formats and the same
identifier / base identifier: The 11-bit message always has priority over
the 29-bit message.
The extended format has some trade-offs: The bus latency time is longer (in
minimum 20 bit-times), messages in extended format require more bandwidth
(about 20 %), and the error detection performance is lower (because the
chosen polynomial for the 15-bit CRC is optimized for frame length up to
112 bits).

CAN controllers, which support extended frame format messages are also able
to send and receive messages in CAN base frame format. CAN controllers that
just cover the base frame format do not interpret extended frames
correctly. However there are CAN controllers, which only support the base
frame format but recognize extended messages and ignore them.


On Wed, Jul 15, 2015 at 7:08 AM, Chester Li <chester.lee.cold at ...2499...>

> Hi!
> I am trying to use Snort to analyze traffic on a Controller Area Network
> (CAN) interface, but getting an error message “Cannot decode data link type
> 227”, which is CAN protocol. Do we have such a feature to support CAN
> traffic analysis other than TCP/IP traffic?
> Thank you!!!
> Chester
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20150715/f18a9b42/attachment.html>

More information about the Snort-devel mailing list