3 - Viewing and Analyzing Ethernet Messages and Data
Previous2 - Configuring Vehicle Spy for EthernetNext4 - Simulating and Reviewing Ethernet Message Files
Last updated
Last updated
Copyright © 2024 | All Rights Reserved
Now that we have Vehicle Spy properly set up, we are ready to begin working with Ethernet messages and data. In this chapter we’ll learn how to go online to view “real world” Ethernet / TCP/IP messages from the Internet, and see how to work with them effectively within VSpy’s Messages View. This will include tailoring the display of messages for Ethernet, seeing how to sort and filter Ethernet messages, using Details View to look at the data within messages, and learning how to save Ethernet data for later analysis.
This chapter assumes that you have followed the instructions in Chapter 2 to enable PC Ethernet interfaces, and have chosen the interface that your PC uses to connect to the Internet.
Support for displaying Ethernet messages is built into Vehicle Spy, so to start looking at Ethernet messages, we simply need to go online.
► Go Online: Press the button located near the top left of the Logon Screen. You can also press the button found just below it (these can be seen near the top left of Figure 4).
Vehicle Spy 3 will automatically switch to Messages View and begin displaying the Ethernet traffic found on the selected interface. If for some reason the view does not change, simply select Messages from the Spy Networks menu. Note that if you have previously been simulating a file in Vehicle Spy, you may need to click the drop-down box next to the button and explicitly choose Run with Transmit.
You should see a display similar to Figure 12. Notice that the button has changed to the (Stop) button at the top left, and the word Online appears next to it, showing that we are online. Messages View begins by default in static mode, which groups together similar messages to make it easier to monitor the network as a whole. In the case of Ethernet, messages are grouped based on their source and destination addresses, as well as the message type (EtherType).
You may see some TCP entries in the display; there is one at the bottom of the displayed message list in the figure. These are logical displays of TCP data carried within Ethernet messages. To make it easier to see more message types, we can suppress the display of this inline data in Messages View:
► Disable Display of Inline TCP Data: Near the top of Messages View, find the checkbox next to the word Expand. Click the box to clear the checkmark from it.
TCP messages will now collapse down so they take up less space. Later on we’ll see how we can use network filters to isolate or suppress network types.
For now, let’s go offline.
By default, Vehicle Spy begins with the Messages View in its generic display format, which is designed to support many types of vehicle networks. Since we are specifically interested in Ethernet, we will change the display to one that provides more information relevant to Ethernet messages.
► Change the Messages View Columns Display to Ethernet: Near the bottom of the Messages View you should see the word Columns, and to the right, a drop-down box in which “(default)” is currently selected. Click the box, scroll down, and change the setting to “Ethernet” (Figure 13).
The information in the Messages View will immediately change to more Ethernet-specific data Depending on the size of your display, you may or may not see all of the columns available; you may also find that some are too narrow to see all of their contents. Enlarge the window and adjust the columns until you can see all the columns up to Len (short for “Length”). You should see something similar to Figure 14.
The Count, Time, Tx, Er and Len columns are used in the same way as they are with more conventional networks such as CAN. Here is a brief explanation of the Ethernet-specific columns:
• Description: For Ethernet messages these summaries begin with “Ethernet” and then generally contain the source and destination addresses. These will be either MAC addresses for plain Ethernet or AVB frames, or IP addresses for TCP/IP messages.
• Source and Destination: The sender and receiver of the message, which again will be either MAC addresses or IP addresses.
• Src Port and Dst Port: The source and destination port numbers for UDP and TCP messages.
• EtherType: The interpreted value of the two-byte EtherType field in the Ethernet header, indicating the type of data being carried in the frame. Typical values are “IPv4”, “IPv6” or “ARP”.
• Protocol: The interpreted value of the IPv4 Protocol field or IPv6 Next Header field, specifying the higher-level protocol message being carried in an IPv4/IPv6 message. This will normally be either “UDP” or “TCP”, or blank for non-IP messages.
Ethernet setups in Vehicle Spy can be saved for later use in exactly the same way you would do when working with other networks. In this case, since we have now tailored the Messages View to look good when working with Ethernet messages, we’ll save the setup. Then we can reload it at any time in the future when we want to work with Ethernet.
► Create a New Setup File: Select Save As from the File menu. When the dialog box appears, enter “Ethernet Column Setup”.
That’s it. Your setup is now saved, and the next time you load it Messages View will immediately be ready for working with Ethernet.
We mentioned earlier that Vehicle Spy defaults to aggregating similar messages for easier tracking and analysis. However, when working with Ethernet it is often useful to see messages sequentially rather than having them grouped in this manner. Naturally, we can easily change between the two modes.
You will immediately see the change in the message display, as it (appropriately enough) begins scrolling, each new message appearing in a separate line rather than being grouped (Figure 15). Notice also that the Count column has now been replaced by a Line column, the number of which increases sequentially.
Now let’s go back to static mode and go offline again.
Vehicle Spy 3 resumes showing you messages statically aggregated by type with counts.
► Go Offline.
Ethernet messages in Messages View can be sorted by clicking on column headers in exactly the same way as you might do with other networks. Let’s try an example.
► Sort by Source Column: Click on the Source column.
Let’s now remove the sorting:
► Remove Sort: Click the Source column two more times to return to the default view
Filtering using columns is a quick and easy way of isolating groups of messages from what can be a very large buffer of Ethernet data. Simply enter the filter criteria into the Filter bar as you would when working with CAN or another network. As always, you can use question marks and asterisks as wildcards, hyphens for ranges, and commas to create lists of values.
As an example, suppose we want to find all of the Domain Name System (DNS) messages sent by our PC. These requests are used to resolve names like “www.intrepidcs.com” into IP addresses. DNS requests are sent to the connected Internet provider’s server on destination port 53.
► Filter for Outgoing DNS Messages: Enter “53” into the Filter bar cell under the Dst Port column.
The message display will now change to show only the messages we are interested in; an example can be seen in Figure 17.
Let’s now remove the filter.
► Clear DNS Filter: Remove the “53” from the Dst Port filter cell.
Messages View will return to showing all messages
Sometimes you may be working with a mixed network containing Ethernet, CAN, LIN and possibly other types of messages. In addition, as we’ve already seen, some Ethernet messages actually generate two lines in Messages View: one for the basic Ethernet message, and one for the virtual TCP network. If FSA is in use, these messages too will show up with both Ethernet and FSA entries.
To view traffic from specific networks, use the network filter columns on the left side of Messages View. The left-most column with the checkmark at the top is used to include networks you want to see, and the center column with the “X” excludes networks you do not want. (The right-most column is for custom filters, which we won’t be covering in this guide.)
For example, suppose we want to see only the logical TCP messages on the network, and not the underlying Ethernet messages that carry them.
► Include the TCP Network: Click the box in the left-hand column for the TCP network. A checkmark appears.
► Exclude the Ethernet Network: Click the box in the center column for the Ethernet network. An “X” appears.
Figure 18 shows what the filter area should look like. After entering these filters, you should see only TCP messages in the message display area of Messages View. (You may need to click the mouse in the messages area for it to update.)
Note that, as always is the case in Vehicle Spy, if you want to exclude a network, you must include at least one network explicitly or nothing will be shown.
► Remove the TCP Network Inclusion: Click the checkmark next to the TCP network to remove it.
Since no network is now included, you should now see the messages area go completely blank (again, you may need to click in the messages area to see this).
► Remove the Ethernet Network Exclusion: Click the “X” next to the Ethernet network.
Messages from all networks are now displayed again.
The blue rectangular area at the bottom of Messages View is sometimes called Details View or the Details Pane, and allows you to dig into the fields in any message to let you see what’s really going on in your network. It’s an especially powerful tool for Automotive Ethernet because you can use it to examine each of the layers of headers and data found in complex encapsulated messages such as those used in TCP/IP.
The Details View window contains three panes. The information pane on the left shows a list of messages and decoded information about them; for Ethernet messages, you will see here a list of the headers in the message. On the right is a byte/character display of the selected message. In the center, you’ll see an area with Name and Value columns that are used to display the values of decoded messages. The contents of all of these panes will change depending on the type of message is selected in the Messages View. The relative sizes of the three panes can be changed by dragging the vertical dividers between them.
As an example, let’s try looking at a TCP/IP UDP message. We can find one easily by using a filter.
► Filter for UDP Messages: Enter “UDP” in the Protocol filter cell.
Now just click any of these messages.
► Select a UDP Message: Click any UDP message currently shown in Messages View.
You should now see details for the message shown in Details View, like the example in Figure 19.
As you can see, there are four lines in the left-hand pane. The first is the general information line for an Ethernet message. The next three show the nested headers for a UDP message: Ethernet, Internet Protocol and User Datagram Protocol.
If you select one of these lines, the corresponding header bytes in the message will be highlighted in the data area on the right.
► Select the Internet Protocol Header: Click the Internet Protocol Version 4 header in the information pane.
You should see 20 bytes highlighted in gray in the byte area, corresponding to the 20 bytes in a standard IPv4 header (Figure 20).
Notice that each header has a “+” button to its left. We can use these to “drill down” into the headers to look at the fields they contain.
Vehicle Spy now highlights the UDP data bytes in gray (right-hand pane), and shows you the values of the fields within the UDP header in this message (left-hand pane). An example is shown in Figure 21.
You can also highlight specific fields in the headers to find exactly where they are located in the by testream of the message.
► Highlight the Source Port Field: Click the Source Port field under the UDP header.
You will now see just two bytes highlighted in gray on the right, since this field is 16 bits long (Figure 22).
After you capture some important data from your network, you can easily save it to a file for later analysis.
You will be prompted with an options dialog box like the one in Figure 23.
In most cases the defaults here are what you want: the .VSB format is ideal for Ethernet messages. Having Append date and time to custom file name checked will make it easy to find saved buffers, and ensure that later buffer saves don’t overwrite newer ones.
Note that Ethernet data can also be stored in .PCAP files (which are compatible with other TCP/IP network analysis tools) but not in VSpy’s traditional .CSV format.
The buffer will be stored in your current data directory.
VSpy will launch Windows Explorer set to the location of your data directory. Sort the list by Date Modified and you should see your buffer at the top.
One important note: be sure to clear network filters that exclude underlying Ethernet messages—like the one we used in Section 3.7—before saving the buffer. If you include a virtual network like TCP or FSA, but exclude Ethernet, then no messages will be saved.
► Go Offline: Press the button to go offline.
► Go Online: Press .
► Enable Scroll Mode: Press the button, located near the top left of Messages View.
Ethernet traffic can come into Vehicle Spy quickly, so you may find it helpful to make use of the button to temporarily halt the message scrolling when in this mode.
► Enable Static Mode: Press again to turn off scroll mode.
All of the messages in the buffer will now be sorted based on their source IP address or MAC address; you should see something similar to Figure 16. As always, you can choose from ascending order ( symbol shows in the column) or descending order ( symbol). Of course, you can also sort using the standard columns, such as Count or Len.
You should see Details View open, unless it was previously disabled in a prior use of VSpy on your machine. If you don’t see it, press the button to enable it.
► Expand the UDP Header: Click the UDP header in the Details View information pane, and then click the button to the left of it.
► Click the Save Button: Click the button near the top of Messages View.
► Save the Buffer: Click the button.
► Open the Data Directory: Click the button located near the top right of Vehicle Spy.
