-
Notifications
You must be signed in to change notification settings - Fork 268
USB Capture Setup
The official guide can be found here: Wireshark USB Capture Setup
some of their instructions have been copied here.
This page requires revision and verification. If you are interested in contributing, please submit a patch.
Context on using usbmon and Wireshark to capture USB traffic on Linux can be found in the following issue comments:
#543 K95 RGB Platinum XT / New Protocol
#81 Void headset support
The most exhaustive example can be found in Nightsword RGB support #656. It has been improved upon and explained here.
To collect a raw text trace, execute following steps.
- Install
wiresharkthrough your package manager. - Add youself to the
wiresharkgroup.
sudo usermod -aG wireshark $USER
- Load the
usbmonmodule if it is not already loaded.
sudo modprobe usbmon
- give regular users privileges
On some Linux distributions (Arch Linux, Debian, Ubuntu, possibly others), the command below may not be necessary if you already belong to the wireshark group.
sudo setfacl -m u:$USER:r /dev/usbmon*
- Linux kernels prior to 2.6.23 need to run:
sudo mount -t debugfs none_debugs /sys/kernel/debug
Verify that bus sockets are present.
sudo ls /sys/kernel/debug/usb/usbmon
Example output:
0s 0u 1s 1t 1u 2s 2t 2u 3s 3t 3u 4s 4t 4u
Now you can choose to either use the socket 0u (to capture packets on all buses), and skip to step #3, or find the bus used by your device with step #2. This allows to filter away annoying devices that talk continuously.
Run to find the "T:"-line which corresponds to the device.
cat /sys/kernel/debug/usb/devices
Usually you do it by looking for the vendor string. If you have many similar devices, unplug one and compare the two /sys/kernel/debug/usb/devices outputs. The T:-line will have a bus number.
Example output:
T: Bus=01 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1b1c ProdID=1b5c Rev= 3.35
S: Manufacturer=Corsair
S: Product=CORSAIR NIGHTSWORD RGB Gaming Mouse
S: SerialNumber=02027026AF4C18865CC0F81CF5001BC0
C:_ #Ifs= 2 Cfg#= 1 Atr=a0 MxPwr=500mA
I:_ If#= 0 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=01 Prot=02 Driver=usbhid
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=1ms
I:\* If#= 1 Alt= 0 #EPs= 2 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid
E: Ad=82(I) Atr=03(Int.) MxPS= 64 Ivl=1ms
E: Ad=02(O) Atr=03(Int.) MxPS= 64 Ivl=1ms
Bus=01 means it's bus 1. Alternatively, you can look at the output from
lsusb and get the bus number from the appropriate line.
Example output of `lsusb
Bus 001 Device 002: ID 1b1c:1b5c Corsair CORSAIR NIGHTSWORD RGB Gaming Mouse
cat /sys/kernel/debug/usb/usbmon/1u > /tmp/1.mon.out
To listen on a single bus, otherwise, to listen on all buses, type:
cat /sys/kernel/debug/usb/usbmon/0u > /tmp/1.mon.out
This process will read until it is killed. Naturally, the output can be redirected to a desirable location. This is preferred, because it is going to be quite long.
This is where you do something that creates the traffic: plug in a flash key, copy files, control a webcam, etc.
Usually it's done with a keyboard interrupt (Control-C).
At this point the output file, /tmp/1.mon.out in this example, can be saved,
sent by e-mail, or inspected with a text editor. In the last case make sure
that the file size is not excessive for your favorite editor.