Tool to transform USB traffic gathered on a minimal Linux system into PCAPNG format for analysis with Wireshark.
Notably "minimal Linux system" includes OpenWRT. It has a usbmon kernel module available, but the precompiled libpcap package does not include USB support, so tcpdump -i usbmon0 -w usbmon.pcap does not work. (tshark -i usbmon -w usbmon.pcapng is even more out of the question—there's no tshark package at all.)
Idea credit to Gemini, which hallucinated anticipated the existence of a usbmon2pcap CLI tool.
Note there are four usbmon formats:
| Format | How to get | Extended? |
|---|---|---|
t text |
cat /proc/sys/kernel/debug/usb/usbmon/0t |
No |
u text |
cat /proc/sys/kernel/debug/usb/usbmon/0u |
Yes |
| 48-bit binary | cat /dev/usbmon0 or ioctl(fd, MON_IOCX_GET, ...) |
No |
| 64-bit binary | ioctl(fd, MON_IOCX_GETX, ...) or ioctl(fd, MON_IOCX_MFETCH) |
Yes |
usbmon2pcap currently supports only the 48-bit format because it's the easiest. You don't have to write/cross-compile/upload any special program to gather the input on a minimal system, and it can be trivially wrapped in PCAPNG headers. The extra information offered by the u text and 64-bit binary formats doesn't seem necessary for basic questions like "what's happening with my USB cell modem?"
Building:
- If you don't have Rust, follow the directions at rustup.rs.
cargo build --releasesudo install -m 755 target/release/usbmon2pcap /usr/local/bin/usbmon2pcap
Usage:
fancysystem$ ssh openwrt
openwrt# opkg update
openwrt# opkg install kmod-usbmon
openwrt# modprobe usbmon
openwrt# cat /dev/usbmon0 > /tmp/usbmon.bin
(wait for the traffic of interest)
^C
openwrt# exit
fancysystem$ scp openwrt:/tmp/usbmon.bin .
fancysystem$ usbmon2pcap --input=usbmon.bin --output=usbmon.pcapng
fancysystem$ wireshark usbmon.pcapng
License: MIT or Apache-2.0, your choice.