ICSim Data Wrangling
- Author: Dr. Jim Marquardson (jimarqua@nmu.edu)
- Updated 2024-06-12
CAN networks can generate a lot of traffic. It can be challenging to find a specific event, such as the network traffic generated when turning on a blinker. This lesson introduces some tools and approaches for finding events.
Learning Objectives
In this exercise, you will learn to:
- start ICSim and the controller using a seed,
- use
candump
to record network traffic to a file, and - evaluate data using Linux tools.
Prerequisites
This exercise assumes that the following are available:
- Kali Linux VM with a graphical user interface,
can-utils
has been installed,ICSim
has been installed to~/ICSim
.
Reset Applications
- Close the ICSim and controller applications, if they are running.
- Stop
cansniffer
if it is running, usingcontrol+c
. - Close all open terminals.
- There should be no applications running right now.
Setup a CAN Network
- Open a terminal.
- Navigate to the
~/ICSim
directory.
cd ~/ICSim
- Create the
vcan0
network. Thisvcan0
network essentially simulates a physical wire to sensors in a bus topology.
sudo sh setup_vcan.sh
Enter the password (kali
) if prompted.
- You may not see any output. The command likely worked. Check for the
vcan0
network usingifconfig
.
ifconfig
You should see vcan0
in the list of network adapters.
vcan0: flags=193<UP,RUNNING,NOARP> mtu 72
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- If you run
sudo sh setup_vcan.sh
and see a message like, "RTNETLINK answers: File exists," this means that thevcan0
network has already been set up. You can ignore this message and continue.
Launch the Simulator
- Run the following command to launch the vehicle simulator and the controllers. The
-s 50
option provides a random seed so that the arbitration IDs are different from any previous exploration you have done. Ensure that your working directory is~/ICSim
before running these commands. You will likely have to press theenter
twice in the terminal to return to the terminal prompt.
./icsim -s 50 vcan0 &
./controls -s 50 vcan0 &
Capture Noise
The cansniffer
tool shows CAN messages in real-time. However, the messages disappear after a few seconds. In this section, you will use candump
to save the network traffic to a file.
- Without manipulating the controller, dump the messages to a file using the following command.
candump vcan0 -l -f noise.txt
- The
-l
parameter tellscandump
to log the messages to a file instead of dumping everything to the screen. - The
-f noise.txt
parameter tellscandump
the name of the file to create. - After about 10 seconds, press
control+c
to top thecandump
capture. - The command outputs all data into a file called
noise.txt
. - Investigate the
noise.txt
file using the following commands.
head noise.txt
tail noise.txt
cat noise.txt
You should see data like the following.
(1718213111.793539) vcan0 164#0000C01AA8000004
(1718213111.793559) vcan0 133#00000000A7
(1718213111.793572) vcan0 136#000200000000002A
(1718213111.793590) vcan0 13A#0000000000000028
(1718213111.793610) vcan0 13F#000000050000002E
(1718213111.793629) vcan0 17C#0000000010000021
(1718213111.793649) vcan0 18E#00006B
- The first column contains a timestamp.
- The second column contains the network (
vcan0
). - The third column contains the arbitration IDs (e.g.,
18E
) and the data (e.g.,00006B
). The arbitration ID and data are separated by the#
symbol. - Because you were not sending any commands to the simulator, you can be sure that none of this data represents the left blinker, for example.
Capture the Signal
The goal is to capture the signal to activate the left blinker. In this section, you will perform another capture. You will start candump
, activate the controller, press the left arrow
to turn on the blinker, return to the terminal, and press control+c
to stop the capture. You will want to do these quickly to minimize the amount of data you capture because only the blinker signal is important. The less noise you capture, the easier your analysis will be.
- Run the following command to start a new
candump
capture. Before pressingenter
to run the command, be prepared to quickly move your mouse to click on the controller.
candump vcan0 -l -f signal_left.txt
- Click on the controller so that it is the active application.
- Press the
left arrow
key to turn on the blinker. - Click on the terminal where
candump
is running. - Press
control+c
to stop thecandump
capture. - Investigate the
signal_left.txt
file.
cat signal_left.txt
- Despite only capturing data for a few moments, a large amount of traffic was still captured.
Prepare Data
- The timestamps are not important in the current investigation. Run these commands to remove the timestamp data from the files.
sed 's/^[^ ]* //' -i noise.txt
sed 's/^[^ ]* //' -i signal_left.txt
The sed
command uses pattern matching to modify lines in files. In this case, the pattern tells sed
to delete everything up to the first space in each line of the file. The -i
parameter tells sed
to modify the file.
- Check that the timestamps no longer exist.
head noise.txt
head signal_left.txt
- You should see data like the following. The timestamp column has been removed.
vcan0 166#D0320036
vcan0 158#0000000000000037
vcan0 161#000005500108003A
vcan0 191#010010A1410029
vcan0 164#0000C01AA8000022
vcan0 133#0000000089
Analyze Data
- There are many ways to analyze data. The following data uses the
grep
command to compare two files. This command will find entries that exist insignal_left.txt
that do not exist innoise.txt
.
grep -vxFf noise.txt signal_left.txt
- The output should look similar to the following. These are all of the codes sent on the network when you captured the left blinker that were not in the capture when you captured the noise.
vcan0 39D#00000001DB0000
vcan0 25F#00000000000100
vcan0 39D#00000001DB0000
vcan0 39D#00000001810000
- The search space for the left blinker code has been greatly reduced.
Test Codes
- Test the codes you found using
cansend
. One of them should turn the left blinker on.
cansend vcan0 39D#00000001DB0000
cansend vcan0 25F#00000000000100
cansend vcan0 39D#00000001DB0000
cansend vcan0 39D#00000001810000
Challenge 1
- Use these same techniques to find the new arbitration IDs for the speedometer. For example, you might create a new file called
signal_speed.txt
using the following command. (The door unlock controls do not seem to work with this particular seed.)
candump vcan0 -l -f signal_speed.txt
- You would then prep the data to get rid of the timestamp.
sed 's/^[^ ]* //' -i signal_speed.txt
- Then investigate the records in
signal_speed.txt
that do not exist innoise.txt
.
grep -vxFf noise.txt signal_lock.txt
- Next, test the codes using
cansend
.
Note that because the speedometer is constantly changing values, there may be many valid codes in signal_speed.txt
--one code for each incremental change in the speedometer.
Challenge 2
- Recapture the noise file so that it runs longer.
- Prepare the noise file for analysis.
- Use
grep
to compare the signal files you found. - Did capturing more noise reduce the search space?
Challenge 3
Find another tool other than grep
that would compare the differences between files.
Shutting Down
- Close the ICSim window. You may have to click
Yes
to confirm closing it. - Close the controller window.
Reflection
- Was 10 seconds long enough to record noise?
- How else might you find the signal in the noise?