Capturing USB with libpcap on Linux

asked 2018-02-05 16:55:56 +0000

DaveHarper gravatar image

I'm trying to capture full USB packets on a Raspberry Pi (kernel v4.9.59) using Wireshark (v2.2.6) and have followed the instructions on the Wireshark USB capture setup page. That page indicates that usbmon limits captured data on each block to about 30 bytes so I downloaded, built and installed the latest libpcap (version 1.8.1). Looking at the available interfaces I see usbmon1 listed but when I try to capture it I get the popup that /sys/kernel/debug/usb/usbmon/1t can't be opened (because it doesn't exist). If I load usbmon with modprobe and make /sys/kernel/debug/usb/usbmon/1t readable/writable by me then the capture works but I only get the first 32 bytes of each packet. What do I need to do to get Wireshark to capture using libpcap?

edit retag flag offensive close merge delete


It looks as though there is a so called snaplength applied somewhere during capture. Are you using Wireshark to capture on the Pi, or another program, eg. tcpdump. What happens when you set a snaplength of 64 bytes for instance, does that change anything?

Jaap gravatar imageJaap ( 2018-02-06 10:27:46 +0000 )edit

Jaap - at the time I did the original posting I was using Wireshark to do the capture. I kept digging after the post and found I could use tcpdump for the capture and then Wireshark to display the captured pcap file. I had seen snaplen mentioned in the man page but it said that the default length was 262144 so I hadn't used it. I just ran another test with it adding -s 512 (this is high speed USB packet size). Once again I found that I was only getting 30 bytes per packet. I used the data in the next Wireshark capture frame and scanned for it in the output file from my application and found it - not at address 0x200 as I would have expected (the start of the second 512 byte packet) but at address 0x1FE. This was the same pattern for the third packet, found ...(more)

DaveHarper gravatar imageDaveHarper ( 2018-02-06 13:58:02 +0000 )edit

While I don't see anything in the comments section here, I did receive an email earlier to check if ESL was disabled in the Analyze -> Enabled Protocols section. I did this and it was enabled (along with everything else).

DaveHarper gravatar imageDaveHarper ( 2018-02-06 15:54:32 +0000 )edit

That was a mispost, you can safely disregard that remark.

Jaap gravatar imageJaap ( 2018-02-06 19:11:58 +0000 )edit

May I ask if you are receiving the data correctly (not on the usbmon interface, but the applications interface)? I really wonder why you would be seeing the data you're looking for in the next frame.

Jaap gravatar imageJaap ( 2018-02-06 19:23:42 +0000 )edit