fix(dumpcap): Correctly record can frames

There seems to be a wireshark "fix" which removed the "Linux Captured" layer from CAN traces. This caused our filter to match no frames… Co-authored-by: Tobias Specht <tobias.specht@aisec.fraunhofer.de>
Fraunhofer-AISEC · Dec 7, 2023 · 63b2f7f · 63b2f7f
1 parent 8c9906f
commit 63b2f7f
Showing 1 changed file with 3 additions and 4 deletions.
diff --git a/src/gallia/dumpcap.py b/src/gallia/dumpcap.py
@@ -128,18 +128,17 @@ def _can_cmd(
     ) -> list[str] | None:
         args = ["dumpcap", "-q", "-i", iface, "-w", "-"]
         # Debug this with `dumpcap -d` or `tshark -x` to inspect the captured buffer.
-        filter_ = "link[1] == 0x01"  # broadcast flag; ignore "sent by us" frames
+        filter_ = ""
 
         if src_addr is not None and dst_addr is not None:
             # TODO: Support extended CAN IDs
             if src_addr > 0x800 or dst_addr > 0x800:
                 logger.error("Extended CAN Ids are currently not supported!")
                 return None
 
-            # Debug this with `dumpcap -d` or `tshark -x` to inspect the captured buffer.
             filter_ += (
-                f"&& (link[16:2] == {Dumpcap._swap_bytes_16(src_addr):#x} "  # can_id is in little endian
-                f"|| link[16:2] == {Dumpcap._swap_bytes_16(dst_addr):#x})"
+                f"link[0:2] == {Dumpcap._swap_bytes_16(src_addr):#x} "  # can_id is in little endian
+                f"|| link[0:2] == {Dumpcap._swap_bytes_16(dst_addr):#x}"
             )
         args += ["-f", filter_]
         return args