This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

usbmon captures

0

I captured usb traces using usbmon and got a raw ascii format as output. When I try to open (to analyze) the captures using wireshark, I get an error msg like "The file isn't a capture file in a format wireshark understands".

asked 14 Mar '11, 08:10

kishom's gravatar image

kishom
1111
accept rate: 0%

I don't know the answer to your question; however http://wiki.wireshark.org/CaptureSetup/USB may be of help

(14 Mar '11, 08:35) Bill Meier ♦♦

2 Answers:

1

On my system, I do this:

modprobe usbmon
mount -t usbfs /dev/bus/usb /proc/bus/usb

After that, run "tshark -D" to list all the interfaces. You should see the usbmonX interfaces listed. You'll need to figure out which one is applicable to your device, but that shouldn't be too hard if you run "cat /proc/bus/usb/devices".

For example, if your device shows up as "Bus=04", then you need to capture using "tshark -i usbmon4". And of course, if you want to save the packets to a .pcap file, then you also need to specify "-w outfile".

You might also take a look at: http://wiki.wireshark.org/CaptureSetup/USB

answered 14 Mar '11, 08:41

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

1

The usbmon mechanism has several different modes - there's a pure-text mode, which, from "I captured usb traces using usbmon and got a raw ascii format as output.", I assume you used, and there's also a binary mode.

Wireshark doesn't support directly reading the text files generated by the text mode of usbmon. What it does support is the mechanism in libpcap that uses usbmon to capture on USB; that's what Chris Maynard (cmaynard) described. If you have libpcap 1.1.0 or later ("tshark -v", "wireshark -v", or the "About" item in the "Help" menu for Wireshark, should indicate what version of libpcap you have), you should be able to directly capture on USB with Wireshark or TShark. You can also capture with recent versions of tcpdump and have Wireshark read those captures (tcpdump can also read them, although its ability to dissect them is currently limited).

answered 14 Mar '11, 11:13

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%