USB capture setup
This page is about capturing raw USB traffic, e.g. the packets a USB mouse will generate on the Universal Serial Bus.
USB attached network interfaces
A special case are network interfaces connected to a host computer through an USB cable. The operating system "converts" the raw USB packets into the network traffic (e.g. Ethernet packets) and provides a network interface that looks like an ordinary network interface. So you can capture from:
- the USB device for raw USB traffic (if supported)
- the Ethernet device for "normal" Ethernet packets
The USB bus will add additional overhead, so the raw USB traffic will have higher volume than the Ethernet traffic.
Linux
This is, what http://hachoir.org/wiki/Canoscan5000F has to say on Linux USB capturing support: To dump USB traffic on Linux, you need the usbmon module, which has existed since Linux 2.6.11. Get more information in the Linux documentation: /usr/src/linux/Documentation/usb/usbmon.txt
The latest libpcap CVS is required for capturing raw USB traffic; the latest libpcap release (0.9.8) does not include USB support.
The devices will be named usbX.
Shortcomings: "... current kernel code limits the total amount of data captured for each raw USB block to about 30 bytes. There is no way to change this without patching the kernel"
To start capturing usb data, ensure that usbmon is available and debugfs is mounted by issuing the following command as root:
mount -t debugfs / /sys/kernel/debug && modprobe usbmon
Start Wireshark and select Capture/Interfaces. In the "Capture Interfaces" dialog you should find the usual ethernet devices plus a bunch of "usbX" interfaces, one for each USB bus detected in the host system.
With Linux >= 2.6.21, there is a binary protocol for tracing USB packets which doesn't have the size limitations.
In case /proc/bus/usb/ is empty, you'll need to populate it with:
mount -t usbfs /dev/bus/usb /proc/bus/usb
Windows
You cannot capture raw USB traffic on Windows with Wireshark/WinPcap. However, see the Tools page for some alternatives.
Hints for developing something like "USBPcap": a kernel mode filter device driver has to be written. An older Driver Development Kit (DDK) is available which at least can compile kernel mode binaries. The most important functions to install the filter driver are CreateService() and SetupDiSetDeviceRegistryProperty() function with SPDRP_LOWERFILTERS parameter.
Discussion
Why was the note about inaccurate time stamps removed?!? - UlfLamping
The timestamps should be ok now since libpcap worksaround the issue by explicitly calling gettimeofday()- ronnie
Well, the inaccuracies I had in mind was about the "delta" involved between the data is received from the USB device and actually timestamped from the kernel. This delta will be substantially lower for e.g. PCI based nic's than for USB ones - and should be mentioned. Or am I just wrong on this topic and this can be ignored - which should be mentioned then too? - UlfLamping