ICSim Data Wrangling

  • Author: Dr. Jim Marquardson (jimarqua@nmu.edu)
  • Updated 2024-06-12

CAN networks can generate a lot of traffic. It can be challenging to find a specific event, such as the network traffic generated when turning on a blinker. This lesson introduces some tools and approaches for finding events.

Learning Objectives

In this exercise, you will learn to:

  • start ICSim and the controller using a seed,
  • use candump to record network traffic to a file, and
  • evaluate data using Linux tools.

Prerequisites

This exercise assumes that the following are available:

  • Kali Linux VM with a graphical user interface,
  • can-utils has been installed,
  • ICSim has been installed to ~/ICSim.

Reset Applications

  • Close the ICSim and controller applications, if they are running.
  • Stop cansniffer if it is running, using control+c.
  • Close all open terminals.
  • There should be no applications running right now.

Setup a CAN Network

  • Open a terminal.
  • Navigate to the ~/ICSim directory.
cd ~/ICSim
  • Create the vcan0 network. This vcan0 network essentially simulates a physical wire to sensors in a bus topology.
sudo sh setup_vcan.sh

Enter the password (kali) if prompted.

  • You may not see any output. The command likely worked. Check for the vcan0 network using ifconfig.
ifconfig

You should see vcan0 in the list of network adapters.

vcan0: flags=193<UP,RUNNING,NOARP>  mtu 72
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • If you run sudo sh setup_vcan.sh and see a message like, "RTNETLINK answers: File exists," this means that the vcan0 network has already been set up. You can ignore this message and continue.

Launch the Simulator

  • Run the following command to launch the vehicle simulator and the controllers. The -s 50 option provides a random seed so that the arbitration IDs are different from any previous exploration you have done. Ensure that your working directory is ~/ICSim before running these commands. You will likely have to press the enter twice in the terminal to return to the terminal prompt.
./icsim -s 50 vcan0 &
./controls -s 50 vcan0 &

Capture Noise

The cansniffer tool shows CAN messages in real-time. However, the messages disappear after a few seconds. In this section, you will use candump to save the network traffic to a file.

  • Without manipulating the controller, dump the messages to a file using the following command.
candump vcan0 -l -f noise.txt
  • The -l parameter tells candump to log the messages to a file instead of dumping everything to the screen.
  • The -f noise.txt parameter tells candump the name of the file to create.
  • After about 10 seconds, press control+c to top the candump capture.
  • The command outputs all data into a file called noise.txt.
  • Investigate the noise.txt file using the following commands.
head noise.txt
tail noise.txt
cat noise.txt

You should see data like the following.

(1718213111.793539) vcan0 164#0000C01AA8000004
(1718213111.793559) vcan0 133#00000000A7
(1718213111.793572) vcan0 136#000200000000002A
(1718213111.793590) vcan0 13A#0000000000000028
(1718213111.793610) vcan0 13F#000000050000002E
(1718213111.793629) vcan0 17C#0000000010000021
(1718213111.793649) vcan0 18E#00006B
  • The first column contains a timestamp.
  • The second column contains the network (vcan0).
  • The third column contains the arbitration IDs (e.g., 18E) and the data (e.g., 00006B). The arbitration ID and data are separated by the # symbol.
  • Because you were not sending any commands to the simulator, you can be sure that none of this data represents the left blinker, for example.

Capture the Signal

The goal is to capture the signal to activate the left blinker. In this section, you will perform another capture. You will start candump, activate the controller, press the left arrow to turn on the blinker, return to the terminal, and press control+c to stop the capture. You will want to do these quickly to minimize the amount of data you capture because only the blinker signal is important. The less noise you capture, the easier your analysis will be.

  • Run the following command to start a new candump capture. Before pressing enter to run the command, be prepared to quickly move your mouse to click on the controller.
candump vcan0 -l -f signal_left.txt
  • Click on the controller so that it is the active application.
  • Press the left arrow key to turn on the blinker.
  • Click on the terminal where candump is running.
  • Press control+c to stop the candump capture.
  • Investigate the signal_left.txt file.
cat signal_left.txt
  • Despite only capturing data for a few moments, a large amount of traffic was still captured.

Prepare Data

  • The timestamps are not important in the current investigation. Run these commands to remove the timestamp data from the files.
sed 's/^[^ ]* //' -i noise.txt
sed 's/^[^ ]* //' -i signal_left.txt

The sed command uses pattern matching to modify lines in files. In this case, the pattern tells sed to delete everything up to the first space in each line of the file. The -i parameter tells sed to modify the file.

  • Check that the timestamps no longer exist.
head noise.txt
head signal_left.txt
  • You should see data like the following. The timestamp column has been removed.
vcan0 166#D0320036
vcan0 158#0000000000000037
vcan0 161#000005500108003A
vcan0 191#010010A1410029
vcan0 164#0000C01AA8000022
vcan0 133#0000000089

Analyze Data

  • There are many ways to analyze data. The following data uses the grep command to compare two files. This command will find entries that exist in signal_left.txt that do not exist in noise.txt.
grep -vxFf noise.txt signal_left.txt
  • The output should look similar to the following. These are all of the codes sent on the network when you captured the left blinker that were not in the capture when you captured the noise.
vcan0 39D#00000001DB0000
vcan0 25F#00000000000100
vcan0 39D#00000001DB0000
vcan0 39D#00000001810000
  • The search space for the left blinker code has been greatly reduced.

Test Codes

  • Test the codes you found using cansend. One of them should turn the left blinker on.
cansend vcan0 39D#00000001DB0000
cansend vcan0 25F#00000000000100
cansend vcan0 39D#00000001DB0000
cansend vcan0 39D#00000001810000

Challenge 1

  • Use these same techniques to find the new arbitration IDs for the speedometer. For example, you might create a new file called signal_speed.txt using the following command. (The door unlock controls do not seem to work with this particular seed.)
candump vcan0 -l -f signal_speed.txt
  • You would then prep the data to get rid of the timestamp.
sed 's/^[^ ]* //' -i signal_speed.txt
  • Then investigate the records in signal_speed.txt that do not exist in noise.txt.
grep -vxFf noise.txt signal_lock.txt
  • Next, test the codes using cansend.

Note that because the speedometer is constantly changing values, there may be many valid codes in signal_speed.txt--one code for each incremental change in the speedometer.

Challenge 2

  • Recapture the noise file so that it runs longer.
  • Prepare the noise file for analysis.
  • Use grep to compare the signal files you found.
  • Did capturing more noise reduce the search space?

Challenge 3

Find another tool other than grep that would compare the differences between files.

Shutting Down

  • Close the ICSim window. You may have to click Yes to confirm closing it.
  • Close the controller window.

Reflection

  • Was 10 seconds long enough to record noise?
  • How else might you find the signal in the noise?