/*********************************************************************************
 *                        tshark CAN协议分析初试
 * 说明:
 *     使用tshark分析CAN数据,协议支持,不过貌似CANopen的协议分析不出来,单纯的CAN
 * 数据分析data部分都无法显示,目前不知道原因。
 *
 *                                              2018-2-5 深圳 宝安西乡 曾剑锋
 ********************************************************************************/

一、tshark help:
    [buildroot@root ~]#  tshark -h
    Running as user "root" and group "root". This could be dangerous.
    TShark (Wireshark) 2.2.6 (wireshark-2.2.6)
    Dump and analyze network traffic.
    See https://www.wireshark.org for more information.
    
    Usage: tshark [options] ...
    
    Capture interface:
      -i <interface>           name or idx of interface (def: first non-loopback)
      -f <capture filter>      packet filter in libpcap filter syntax
      -s <snaplen>             packet snapshot length (def: 65535)
      -p                       don't capture in promiscuous mode
      -I                       capture in monitor mode, if available
      -B <buffer size>         size of kernel buffer (def: 2MB)
      -y <link type>           link layer type (def: first appropriate)
      -D                       print list of interfaces and exit
      -L                       print list of link-layer types of iface and exit
    
    Capture stop conditions:
      -c <packet count>        stop after n packets (def: infinite)
      -a <autostop cond.> ...  duration:NUM - stop after NUM seconds
                               filesize:NUM - stop this file after NUM KB
                                  files:NUM - stop after NUM files
    Capture output:
      -b <ringbuffer opt.> ... duration:NUM - switch to next file after NUM secs
                               filesize:NUM - switch to next file after NUM KB
                                  files:NUM - ringbuffer: replace after NUM files
    Input file:
      -r <infile>              set the filename to read from (- to read from stdin)
    
    Processing:
      -2                       perform a two-pass analysis
      -R <read filter>         packet Read filter in Wireshark display filter syntax
      -Y <display filter>      packet displaY filter in Wireshark display filter
                               syntax
      -n                       disable all name resolutions (def: all enabled)
      -N <name resolve flags>  enable specific name resolution(s): "mnNtCd"
      -d <layer_type>==<selector>,<decode_as_protocol> ...
                               "Decode As", see the man page for details
                               Example: tcp.port==8888,http
      -H <hosts file>          read a list of entries from a hosts file, which will
                               then be written to a capture file. (Implies -W n)
      --disable-protocol <proto_name>
                               disable dissection of proto_name
      --enable-heuristic <short_name>
                               enable dissection of heuristic protocol
      --disable-heuristic <short_name>
                               disable dissection of heuristic protocol
    Output:
      -w <outfile|->           write packets to a pcap-format file named "outfile"
                               (or to the standard output for "-")
      -C <config profile>      start with specified configuration profile
      -F <output file type>    set the output file type, default is pcapng
                               an empty "-F" option will list the file types
      -V                       add output of packet tree        (Packet Details)
      -O <protocols>           Only show packet details of these protocols, comma
                               separated
      -P                       print packet summary even when writing to a file
      -S <separator>           the line separator to print between packets
      -x                       add output of hex and ASCII dump (Packet Bytes)
      -T pdml|ps|psml|json|ek|text|fields
                               format of text output (def: text)
      -j <protocolfilter>      protocols layers filter if -T ek|pdml|json selected,
                               (e.g. "http tcp ip",
      -e <field>               field to print if -Tfields selected (e.g. tcp.port,
                               _ws.col.Info)
                               this option can be repeated to print multiple fields
      -E<fieldsoption>=<value> set options for output when -Tfields selected:
         bom=y|n               print a UTF-8 BOM
         header=y|n            switch headers on and off
         separator=/t|/s|<char> select tab, space, printable character as separator
         occurrence=f|l|a      print first, last or all occurrences of each field
         aggregator=,|/s|<char> select comma, space, printable character as
                               aggregator
         quote=d|s|n           select double, single, no quotes for values
      -t a|ad|d|dd|e|r|u|ud    output format of time stamps (def: r: rel. to first)
      -u s|hms                 output format of seconds (def: s: seconds)
      -l                       flush standard output after each packet
      -q                       be more quiet on stdout (e.g. when using statistics)
      -Q                       only log true errors to stderr (quieter than -q)
      -g                       enable group read access on the output file(s)
      -W n                     Save extra information in the file, if supported.
                               n = write network address resolution information
      -X <key>:<value>         eXtension options, see the man page for details
      -U tap_name              PDUs export mode, see the man page for details
      -z <statistics>          various statistics, see the man page for details
      --capture-comment <comment>
                               add a capture comment to the newly created
                               output file (only for pcapng)
    
    Miscellaneous:
      -h                       display this help and exit
      -v                       display version info and exit
      -o <name>:<value> ...    override preference setting
      -K <keytab>              keytab file to use for kerberos decryption
      -G [report]              dump one of several available reports and exit
                               default report="fields"
                               use "-G ?" for more help
    
    WARNING: dumpcap will enable kernel BPF JIT compiler if available.
    You might want to reset it
    By doing "echo 0 > /proc/sys/net/core/bpf_jit_enable"
    
    [buildroot@root ~]#

二、tshark支持协议查看:
    tshark -G protocols

三、vcan设置:
    sudo ip link add dev vcan0 type vcan
    sudo ip link set up vcan0
    candump vcan0
    canopend vcan0 -i 4 -s od4_storage -a od4_storage_auto

四、tshark抓包设备显示:
    [buildroot@root ~]#  sudo tshark -D
    Running as user "root" and group "root". This could be dangerous.
    1. eth0
    2. vcan0
    3. any
    4. lo (Loopback)
    5. usbmon1
    6. usbmon2
    7. usbmon3
    8. randpkt (Random packet generator)
    [buildroot@root ~]#

五、tshark vcan抓包:
    [buildroot@root ~]#  tshark -i vcan0
    Running as user "root" and group "root". This could be dangerous.
    Capturing on 'vcan0'
    device vcan0 entered promiscuous mode
        1 0.000000000              ?              CAN 32 STD: 0x00000704   7f
        2 0.000023000              ?              CAN 32 STD: 0x00000704   7f
        3 1.001414667              ?              CAN 32 STD: 0x00000704   7f
        4 1.001437667              ?              CAN 32 STD: 0x00000704   7f
        5 2.001844334              ?              CAN 32 STD: 0x00000704   7f
        6 2.001867334              ?              CAN 32 STD: 0x00000704   7f
        7 3.002829334              ?              CAN 32 STD: 0x00000704   7f
        8 3.002850334              ?              CAN 32 STD: 0x00000704   7f

六、tshark vcan can协议解析:
    [buildroot@root ~]#  tshark -i vcan0 -O can
    Running as user "root" and group "root". This could be dangerous.
    Capturing on 'vcan0'
    device vcan0 entered promiscuous mode
    Frame 1: 32 bytes on wire (256 bits), 32 bytes captured (256 bits) on interface 0
    Linux cooked capture
    Controller Area Network
        ...0 0000 0000 0000 0000 0111 0000 0100 = Identifier: 0x00000704
        0... .... .... .... .... .... .... .... = Extended Flag: False
        .0.. .... .... .... .... .... .... .... = Remote Transmission Request Flag: False
        ..0. .... .... .... .... .... .... .... = Error Flag: False
        Frame-Length: 1
    Data (1 byte)
    
    Frame 2: 32 bytes on wire (256 bits), 32 bytes captured (256 bits) on interface 0
    Linux cooked capture
    Controller Area Network
        ...0 0000 0000 0000 0000 0111 0000 0100 = Identifier: 0x00000704
        0... .... .... .... .... .... .... .... = Extended Flag: False
        .0.. .... .... .... .... .... .... .... = Remote Transmission Request Flag: False
        ..0. .... .... .... .... .... .... .... = Error Flag: False
        Frame-Length: 1
    Data (1 byte)