Posted by: yegorich | May 7, 2012

Capturing and Analyzing CAN Frames with Wireshark

Wireshark is a well-known network packet sniffer. Since 2009 it is also capable of capturing CAN frames via SocketCAN interface in Linux. Just configure and activate your CAN interface and it will show up as one of the available sniffing interfaces. The image below shows CAN frames captured via USB-CAN adapter (slcan driver).

Following information will be extracted from CAN frame:

  • Identifier
  • Extended Flag
  • Remote Transmission Request Flag
  • Error Flag

As of Wireshark version 1.7.1 CANopen dissector was introduced. See image below.

As CAN has no ports or other remarkable protocol options you’ll have to manually choose, how CAN frames should be interpreted.

And the last note. Though CAN frames can be captured only in Linux, they still can be analyzed on every system Wireshark is running on.



  1. It’s remarkable to pay a visit this site and reading the views of all friends regarding this paragraph, while I am also eager of getting know-how.

  2. do you know how is it possible to replay a capture of can frames ? with cansend for example?

    • I don’t know. Basically you can replay wireshark captured traffic via tcpreplay, but I don’t know if it can handle CAN frames. I would ask this question on the linux-can mailing list.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: