The author is debugging the UDS diagnostic protocol based on the vehicle-mounted Ethernet DoIP (ISO13400) these days , (ISO14229+ISO15765), so I use wireshark to monitor the packets, and look at the data packets of the TCP layer, DoIP layer and UDS layer.
wireshark software
- Select a designated port for packet monitoring
- Ethernet data and message analysis (double-click to go to see the specific message analysis)
- Error frame type :
- [TCP Previous segment not captured]: The message before the TCP message of this frame has not been received
- [TCP Out-Of-Order]: TCP packets are out of order
- [TCP dup ack XXX#X]: Retransmit a certain packet
- [TCP Fast Retransmission]: fast retransmission
- [TCP Retransmission]:重传
ETH Ethernet frame (data link layer)
-
Both the destination address and the source address refer to the MAC address, which is the physical address. Destination address: 22:34:C0:01:00:01, source address: E8:6A:64:20:61:3B, the preamble and check code are not given here in the message
-
Type generally refers to IPv4, IPv6, ARP, Vlan,
such as the packet sent when clinet broadcasts the gateway (looking for the gateway, the address is set by yourself, not assigned by the gateway, so looking for the gateway is quite like who and tell), ARP Types of,
IP frame (network layer)
Take a group of packets as an example: the red line in front is the destination address + source address + type
- 45: 4 is IPv4, and the IP header of 5 refers to a total of 20 bytes, that is, (5) * 4 bytes.
- 00: Service type
- 00 2A: A total of 42 bytes, IP header + TCP header ETH(14)+IP(20)+ICMP(22) = 16*3+8 = 56 56-14 =42
- 10 5D: Logo
- 40 00: Mark and fragment offset, mark: reserved/fragmented/last slice, each occupying one bit, followed by the offset relative to the original data after fragmentation, in units of 8 bytes
- 05: lifetime, TTL, the maximum number of routes that can be passed
- 01: Protocol, TCP (0x06), UDP (0x11) or ICMP (0x01),
- E2 17: Checksum, what is the check method? Accumulate in a group of 16 bits, and finally get the inverse. Note: If the number exceeds 16 bits, it needs to be recombined and added. The two bits of the check are treated as 0x00, 0x4500 +0x2A+0x105D+0x4000+0x0501+0xC0A8+0x0106+0xC0A8+0x0108 = 0x21DE6, then 0x1DE6+0x02 = 0x1DE8, after the inversion is 0xE217, so the check bit is 0xE217
- C0 A8 01 06 : 192.168.1.6 C0 A8 01 08 : 192.168.1.8
TCP frame (transport layer)
Take a specific TCP packet as an example: Source IP: a9 fe 64 0a (169.254.100.10) Destination IP: a9 fe 64 64 (169.254.100.100)
- d0 e6 : 53478
- 34 58:13400
- eb bd ca ae: The serial number can be confirmed
- 02 d1 83 1a: Confirmation number
- 50: 5 represents the number of bytes in the header, the unit is 4 bytes, 5*4 = 20 bytes
- 18: 1 reserved 8 represents PSH, during the communication process, prompt the receiving end to read the data in the buffer area, SYN, establish the link, FIN: disconnect the link ACK: response packet, confirm that the serial number is normal, RST: re-link
- fa fd: window size
- d1 53: TCP checksum, same as IP calculation method
- 00 00: emergency pointer
TCP three-way handshake
299 : SYN Seq = 0 ,
300 : SYN ACK Seq = 0 , Ack = 1
301 : ACK Seq = 1 , Ack = 1
The above SYN represents the establishment of the link ACK represents the response packet Ack represents the confirmation sequence number
The serial number and confirmation number of the communication parties will be exchanged, and increase according to the data of len
TCP waved four times
FIN ACK: FIN client (server) sends out a disconnect, Seq = 1 Ack = 5
ACK: server responds with ACK =1 Seq = 5 Ack = 2
FIN ACK: FIN server (client) sends out a disconnect, Seq = 5 , Ack = 2
ACK: The client responds with ACK =1 Seq = 2 Ack = 6
DoIP frame (application layer)
DoIP: Diagnostic communication over Internet Protocol, diagnostic communication via Ethernet, or in-vehicle Ethernet,
a message format for diagnostic data is as follows:
Take a specific message as an example:
- 02: Protocol version
- fd: the inverse code of the protocol version
- 80 02: Diagnostic positive response type 0x0000-0008 Node management category 0x4000-0x4004 Vehicle information category 0x8001-0x8003 Diagnostic category
- 00 00 00 07: Data packet length (DoIP Payload later)
- 00 09: Source address (the addresses of the two parties in the application layer communication)
- 0e 80: target address
- 00: ACK Code, response code
- 85 02: UDS message
UDS frame (application layer, DoIP upper layer)
UDS (Unified Diagnostic Services) unified diagnostic service, UDS redefines the DoIP data message format
Take security access as an example to introduce: The specific message is as follows.
Request seed: 27 01
Response seed: 67 01 XX XX XX XX
