Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I'm using Wireshark 3.2.3 and usbmon for capturing USB traffic on Ubuntu 20.04.

Presumably you mean that you're capturing with Wireshark and using the usbmon devices.

If so, then this is a limit wired into the Linux kernel. To quote a comment in the libpcap code for usbmon:

     * A packet from binary usbmon has:   
     *  1) a fixed-length header, of size header_size;
     *  2) descriptors, for isochronous transfers;
     *  3) the payload.
     * The kernel buffer has a size, defaulting to 300KB, with a
     * minimum of 8KB and a maximum of 1200KB.  The size is set with
     * the MON_IOCT_RING_SIZE ioctl; the size passed in is rounded up
     * to a page size.
     * No more than {buffer size}/5 bytes worth of payload is saved.
     * Therefore, if we subtract the fixed-length size from the   
     * snapshot length, we have the biggest payload we want (we
     * don't worry about the descriptors - if we have descriptors,
     * we'll just discard the last bit of the payload to get it
     * to fit).  We multiply that result by 5 and set the buffer
     * size to that value.

So if {buffer_size} is the maximum value allowed by the kernel, namely 1200 KB (KiB, really, i.e. 1200*1024), then the "No more than ... worth of payload is saved" value is 245760. 245824 is that plus the size of the header prepended to the data, which is 64 bytes.

Fixing this would first require that BUFF_MAX be increase in the usbmon driver in the Linux kernel. Then libpcap would have to be modified to handle the larger maximum for USB capturing on Linux, and then Wireshark would have to be modified to handle that as well.