USB capture setup

This page is about capturing raw USB traffic, e.g. the packets a USB mouse will generate on the Universal Serial Bus.

Table of contents

USB attached network interfaces

A special case are network interfaces connected to a host computer through an USB cable. The operating system "converts" the raw USB packets into the network traffic (e.g. Ethernet packets) and provides a network interface that looks like an ordinary network interface. So you can capture from:

The USB bus will add additional overhead, so the raw USB traffic will have higher volume than the network traffic, even if the only active USB devices on the system are network adapters. (If there are other active USB devices, the raw USB traffic will include traffic to and from those devices, so it will obviously have higher volume than Ethernet traffic.)

Linux

To dump USB traffic on Linux, you need the usbmon module, which has existed since Linux 2.6.11. Information on that module is available in /usr/src/linux/Documentation/usb/usbmon.txt in the Linux source tree. Depending on the distribution you're using, and the version of that distribution, that module might be built into the kernel, or might be a loadable module; if it's a loadable module, depending on the distribution you're using, and the version of that distribtuion, it might or might not be loaded for you. If it's a loadable module, and not loaded, you will have to load it with the command

which must be run as root.

libpcap releases prior to 1.0 do not include USB support, so you will need at least libpcap 1.0.0.

For versions of the kernel prior to 2.6.21, the only USB traffic capture mechanism available is a text-based mechanism that limits the total amount of data captured for each raw USB block to about 30 bytes. There is no way to change this without patching the kernel. If debugfs is not already mounted on /sys/kernel/debug, ensure that it is mounted there by issuing the following command as root:

For kernel version 2.6.21 and later, there is a binary protocol for tracing USB packets which doesn't have that size limitation. For that kernel version, you will need libpcap 1.1.0 or newer, because the libpcap 1.0.x USB support uses, but does not correctly handle, the memory-mapped mechanism for USB traffic, which libpcap will use if available - it cannot be made unavailable, so libpcap will always use it.

In libpcap 1.0.x, the devices for capturing on USB have the name usbn, where n is the number of the bus. In libpcap 1.1.0 and later, they have the name usbmonn.

You will also need a Wireshark 1.2.x or newer.

Windows

You can capture raw USB traffic on Windows with USBPcap. The Tools page lists some other options for Windows USB capture.

You can also capture and debug USB traffic on a virtual Windows machine under VirtualBox. In some ways this is more convenient than working with a separate Windows box.

In this example, an embedded Linux device running g_ether (RNDIS ethernet gadget) connects to Windows. e.g. an NSLU2 with a USB slave modification http://www.nslu2-linux.org/wiki/HowTo/AddDeviceSideUSBPort but it should work for almost any USB device.

With this method, Linux recognises the USB device (i.e. >lsusb will still show them), but VirtualBox hooks it into Windows but Wireshark on linux still gets to snoop on all the packets.

Steps:

1. Install a VirtualBox Windows guest on your Linux host. Start up the virtual Windows session.

2. Plug-in the embedded slave device via a USB cable, which itself should be either a device Windows already knows about (or in this case it was running a valid g_ether gadget stack and needed a .inf file)

3. Run >lsusb and take a note of which bus the device connects.

4. On linux side,run >ifconfig usb0 down - this prevents both the linux system and the windows system from fighting over the device

5. On the Windows virtual machine, on VirtualBox menus click the checkbox

6. Now Windows should recognise the device and proceed with the "plug-and-pray" session for driver initialisation.

7. In this example, I had to set up the networking options for IP address, Gateway etc on Windows to match the IP network on the gadget but for other USB device types there will be no extra setup. In any case this is just normal Windows behavior.

8. On Linux, startup Wireshark and using the Bus number given earlier from >lsusb command to sniff for packets.

Hints for developing something like a Windows native "USBPcap": a kernel mode filter device driver has to be written. An older Driver Development Kit (DDK) is available which at least can compile kernel mode binaries. The most important functions to install the filter driver are CreateService() and SetupDiSetDeviceRegistryProperty() function with SPDRP_LOWERFILTERS parameter.

Discussion

Why was the note about inaccurate time stamps removed?!? - UlfLamping

The timestamps should be ok now since libpcap worksaround the issue by explicitly calling gettimeofday()- ronnie

Well, the inaccuracies I had in mind was about the "delta" involved between the data is received from the USB device and actually timestamped from the kernel. This delta will be substantially lower for e.g. PCI based nic's than for USB ones - and should be mentioned. Or am I just wrong on this topic and this can be ignored - which should be mentioned then too? - UlfLamping

There's "capturing on USB-attached networking interfaces" and there's "capturing USB traffic"; this page is for the latter, but it sounds as if the time stamp delta is an issue for the former. - Guy Harris

See Also

CaptureSetup/USB (last edited 2013-03-21 20:07:39 by GeraldCombs)