Ask Your Question
0

How to increase the USB snap/buffer length to capture bigger packages?

asked 2019-10-16 12:35:38 +0000

void gravatar image

updated 2019-10-16 12:37:28 +0000

I need to capture the data for a USB application that uses packages of size 1048603 bytes. Of these, only 65535 bytes are saved into the pcap-file, thus not giving me what I wan and need, unfortunately.

I've tried increasing the values in the extcap.___usbpcapN.bufferlen and extcap.___usbpcapN.snaplen fields under the advanced options, but this doesn't give the desired result either.

Is this possible at all, or? At the moment I'm using Wireshar 3.0.5 (v3.0.5-0-g752a55954770) on Windows 10 with USBPcap 1.3.0 (what current version of Wireshark installs when doing a fresh install).

I've also tried running both tshark and USBPcapCMD from the command line using passing values for the -snaplen / -B -s and whatnot commands, but I still end up with not managing to achieve what I need for this application.

edit retag flag offensive close merge delete

Comments

What value did you try for the snaplen? According to Wireshark source code wiretap/wtap.h header file, you should at least be able to capture up to 1,048,576 bytes. That will apparently still be too small for your needs, but it should get you a lot closer to your goal. If you really need more than that, then I'd recommend opening up a Wireshark bug report to request that limit be increased.

cmaynard gravatar imagecmaynard ( 2019-10-16 13:52:19 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-10-16 15:39:39 +0000

Pascal Quantin gravatar image

updated 2019-10-16 15:39:51 +0000

This sounds like the issue fixed in USBPcap 1.5.3.0 (see https://github.com/desowin/usbpcap/re...).

To use this version, you need to use at least Wireshark 3.1.0 development version as USBPcap 1.5.0.0 and later are not compatible with the 3.0.x Wireshak versions (due to the new control data transfer format that is not supported by earleir version of Wireshark).

As Wireshark 3.1.0 packages USBPcap 1.5.2.0, you need to either manually update it (and copy the USBPcapCMD.exe to the extcap folder of your Wireshark installation) or use a Wireshark 3.1.1 nightly build.

Wireshark 3.1.0 development build can be found here: https://www.wireshark.org/#download and 3.1.1 nightly builds here: https://www.wireshark.org/download/au...

edit flag offensive delete link more

Comments

Or possibly this was the issue fixed in USBPcap 1.4.1.0? From https://github.com/desowin/usbpcap/re...:

  • Remove the 65535 upper limit on Wireshark extcap interface snaplen parameter

In any case, upgrading to the latest available version is usually the best thing to do, regardless.

But due to WTAP_MAX_PACKET_SIZE_USBPCAP definition, won't there still be a 1,048,576 byte limit imposed?

cmaynard gravatar imagecmaynard ( 2019-10-16 18:09:45 +0000 )edit

Thanks for the feedback. I tried using the development version of Wireshark now in addition to manually copying USBPcapCMD.exe to the extcap folder, but Wireshark still complains that the packet is too long as soon as the stream starts. I've also asked the developer of USBPcapCMD which confirms that the newest version of USBPcapCMD do work as intended and that the packages are captured, so it's basically Wireshark/tshark that have this 2^20 size limit on packets it seems, as @cmaynard commented.

Assume this means that I just have to hope this size limit is increased further or write a parser from scratch to extract the usb.pcap data.

void gravatar imagevoid ( 2019-10-17 08:07:17 +0000 )edit

To close the loop here, the value of WTAP_MAX_PACKET_SIZE_USBPCAP has been raised from 1MiB to 128MiB. See Bug 15985 for the references to the commits that implemented this.

So, in addition to an update of USBPcap as @pascal-quantin suggested, an updated version of Wireshark that raises this limit is also needed. Until the next stable/development release is made, an automated installer can be downloaded from https://www.wireshark.org/download/au....

cmaynard gravatar imagecmaynard ( 2019-10-18 17:08:07 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-10-16 12:35:38 +0000

Seen: 1,272 times

Last updated: Oct 16 '19