USB traffic capture on macOS stops when large packets arrive

asked 2020-05-24 15:31:49 +0000

T1000 gravatar image

updated 2020-05-24 22:08:00 +0000

Guy Harris gravatar image

Dear all,

I am using the latest version (V 3.2.4) of Wireshark on maxOS 10.14 for capturing the USB traffic. It seems to be that Wireshark stops capturing when a packet arrives > 500kb . This is typically the case if a USB camera transfers the image data. Has anyone observe such issue?

edit retag flag offensive close merge delete

Comments

Try it with tcpdump. Does the same thing happen? (And do not upgrade to Catalina; Catalina requires that you turn System Integrity Protection off in order to capture USB traffic!)

Guy Harris gravatar imageGuy Harris ( 2020-05-24 22:07:02 +0000 )edit

yes, with tcpdump it works fine. This is good alternative. Does it means that wireshark GUI has an issue?

T1000 gravatar imageT1000 ( 2020-05-25 06:39:50 +0000 )edit

It means Wireshark has an issue; it's not an issue with libpcap, the BPF code, or the USB->BPF code. Whether it's in the GUI or in dumpcap or somewhere else is a question whose answer is not yet known.

What happens if you try capturing with dumpcap?

Guy Harris gravatar imageGuy Harris ( 2020-05-25 06:59:19 +0000 )edit

Hi,

dumpcap does not stop the capturing when bigger packet arrives,but if open the saved log with wireshark for further analyses, there is bigger packets to be found in the log. If I reduce the packet size on the camera, then I see all packets. It seems to be that the issue is there but behavior slightly different that wireshark gui.

What you think?

T1000 gravatar imageT1000 ( 2020-05-25 11:25:59 +0000 )edit
add a comment