Sniffing ISO-TP Messages over CAN (advanced) By: magikh0e We use candump to look at the traffic (see below) and we try to interpret that traffic to determine what the vehicle's modules are telling each other: # candump can0 any​ (0.775574) can1 027#89AE07D40000A04F R​ (0.776797) can1 09B#260000F9007500FF R​ (0.777063) can1 332#000003FF00000000 R​ (0.777340) can1 3EB#43E810040FA009C4 R​ (0.778468) can1 02B#080607F508022054 R​ But there are problems with this. The largest CAN frame has only 8 bytes of data. There's no easy way to send a multi-part message with more than 8 bytes of data, and no way to make sure all the parts were received or if any need to be transmitted. Enter ISO-TP. CAN - It's UDP/IP. You send a letter with a destination address and content. You have no idea if it got there in one piece or not. And you're limited to how much you can stuff in an envelope. ISO-TP - It's TCP/IP. It's a telephone call you make from a source and destination telephone number. You can talk as much as you want and everything goes back-and-forth until you hang up the phone. Why is ISO-TP important? Because it's the key to using Unified Diagnostic Services (UDS). Why is UDS important? Because that's the key to reading (and writing) more advanced information (and more persistent vehicle configuration settings) from all of your vehicle's modules. It's also the way you can read the current state of the vehicle's many I/O devices... and then output to them so that you can do operations such as honking the horn, flashing the headlights, and locking your front lockers. AND MORE. Like diagnostic test routines, or automatic brake bleeding operations. Assuming that CAN-C is on your can1 device, issue the following command: isotpdump -s 620 -d 504 -c -ta -u can1