5/30/12

CaptureSetup/USB - The Wireshark Wiki

USB capture setup

This page is about capturing raw USB traffic, e.g. the packets a USB mouse will generate on the Universal Serial Bus.

USB attached network interfaces

A special case are network interfaces connected to a host computer through an USB cable. The operating system "converts" the raw USB packets into the network traffic (e.g. Ethernet packets) and provides a network interface that looks like an ordinary network interface. So you can capture from: the USB device for raw USB traffic (if supported) the network device for "normal" network packets The USB bus will add additional overhead, so the raw USB traffic will have higher volume than the network traffic, even if the only active USB devices on the system are network adapters. (If there are other active USB devices, the raw USB traffic will include traffic to and from those devices, so it will obviously have higher volume than Ethernet traffic.)

Linux
To dump USB traffic on Linux, you need the usbmon module, which has existed since Linux 2.6.11. Information on that module is available in / s / r / i u / o u e t t o / s / s m n t tin the Linux source tree. Depending on the ursclnxDcmnainububo.x distribution you're using, and the version of that distribution, that module might be built into the kernel, or might be a loadable module; if it's a loadable module, depending on the distribution you're using, and the version of that distribtuion, it might or might not be loaded for you. If it's a loadable module, and not loaded, you will have to load it with the command mdrb ubo opoe smn which must be run as root. libpcap releases prior to 1.0 do not include USB support, so you will need at least libpcap 1.0.0. For versions of the kernel prior to 2.6.21, the only USB traffic capture mechanism available is a text-based mechanism that limits the total amount of data captured for each raw USB block to about 30 bytes. There is no way to change this without patching the kernel. If debugfs is not already mounted on / y / e n l d b g ensure that it is mounted there by issuing sskre/eu, the following command as root: mut- dbgs//y/enldbg on t euf sskre/eu For kernel version 2.6.21 and later, there is a binary protocol for tracing USB packets which doesn't have that size limitation. For that kernel version, you will need libpcap 1.1.0 or newer, because the libpcap 1.0.x USB support uses, but does not correctly handle, the memory-mapped mechanism for USB traffic, which libpcap will use if available - it cannot be made unavailable, so libpcap will always use it. In libpcap 1.0.x, the devices for capturing on USB have the name u b where n is the number of the bus. In libpcap 1.1.0 s n, and later, they have the name u b o n. smn You will also need a Wireshark 1.2.x or newer.

Windows
You cannot directly capture raw USB traffic on Windows with Wireshark/WinPcap. However, see the Tools page for some alternatives. But it is possible to capture and debug USB traffic on a virtual Windows machine under VirtualBox. In some ways is more convenient than working with a separate Windows box. In this example, an embedded Linux device running g_ether (RNDIS ethernet gadget) connects to Windows. e.g. an NSLU2 with a USB slave modification almost any USB device. http://www.nslu2-linux.org/wiki/HowTo/AddDeviceSideUSBPort but it should work for

With this method, Linux recognises the USB device (i.e. >lsusb will still show them), but Virtualbox hooks it into Windows but Wireshark on linux still gets to snoop on all the packets. Steps: 1. Install a VirtualBox Windows guest in your Linux system using some 'spare' Windows CDs. Start up the virtual Windows session. 2. Plug-in the embedded slave device via a USB cable. which itself should be either a device Windows already knows about (or in this case it was running a valid g_ether gadget stack and needed a .inf file) 3. Run >lsusb and take a note of which bus the device connects. e.g "Bus 003 Device 003: ID 0525:a4a2 Netchip Technology, Inc. Linux-USB Ethernet/RNDIS Gadget" 4. On linux side,run >ifconfig usb0 down - this prevents both the linux system and the windows system from fighting over the device
wiki.wireshark.org/CaptureSetup/USB 1/2

5/30/12

CaptureSetup/USB - The Wireshark Wiki

5. On the Windows virtual machine, on Virtualbox menus click the checkbox [Devices]->Usb devices>[x]Your device to let windows see the USB device. 6. Now Windows should recognise the device and proceed with the "plug-and-pray" session for driver initialisation. I worked from the instructions on http://docwiki.gumstix.org/index.php/Windows_XP_usbnet to install the driver.

7. In this example, I had to set up the networking options for IP address, Gateway etc on Windows to match the IP network on the gadget but for other USB device types there will be no extra setup. In any case this is just normal Windows behavior. 8. On Linux, startup Wireshark and using the Bus number given earlier from >lsusb command to sniff for packets. Hints for developing something like a Windows native "USBPcap": a An older important functions to install the filter driver are with SPDRP_LOWERFILTERS parameter. CreateService() and kernel mode filter device driver has to be written. SetupDiSetDeviceRegistryProperty() function

Driver Development Kit (DDK) is available which at least can compile kernel mode binaries. The most

Discussion
Why was the note about inaccurate time stamps removed?!? - UlfLamping The timestamps should be ok now since libpcap worksaround the issue by explicitly calling gettimeofday()- ronnie Well, the inaccuracies I had in mind was about the "delta" involved between the data is received from the USB device and actually timestamped from the kernel. This delta will be substantially lower for e.g. PCI based nic's than for USB ones - and should be mentioned. Or am I just wrong on this topic and this can be ignored - which should be mentioned then too? UlfLamping There's "capturing on USB-attached networking interfaces" and there's "capturing USB traffic"; this page is for the latter, but it sounds as if the time stamp delta is an issue for the former. - Guy Harris

See Also
Capturing Capturing Capturing Capturing Capturing Capturing Capturing Capturing Capturing Capturing Capturing Capturing Capturing on Ethernet Networks on 802.11 Wireless Networks on Token Ring Networks on VLAN Protected Networks on PPP Networks on the Loopback Device on Frame Relay Networks DOCSIS Traffic Bluetooth Traffic on ATM Networks IrDA Traffic on Cisco HDLC Networks SS7 Traffic

CategoryHowTo

CaptureSetup/USB (last edited 2011-11-04 19:27:16 by GuyHarris)

wiki.wireshark.org/CaptureSetup/USB

2/2