This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

? “usbmon text” converter to PCAP binary format

0

I'm designing with an embedded USB Host that isn't linux (STM32F4 with 196Kram) and looking for a format for implementing a dump of the USB wirelevel transaction that can be transferred through a UART interface to a host for analysis by wireshark. The primary purpose is to debug USB device enumerations and compare them against a linux hosts enumeration.

The embedded system has a well buffered UART @115Kbaud, so the simplest, assuming a relatively low speed USB Host interface, is to capture USB transactions on the UART ASCII output sending to a slower ram buffer and then when they are send to the console capture them via a terminal logger.

The "usbmon text" interface is well defined, but I haven't found anyway of converting this to a wireshark (PCAP?) format. I'm just wondering if anybody knows of a converter that can take "usbmon text" format and convert to a PCAP format, or anyother ASCII format/converter to PCAP. Many thanks.

asked 15 Feb '16, 13:52

neilh's gravatar image

neilh
6112
accept rate: 0%

The "usbmon text" interface is well defined

Are you referring to the Linux usbmon text format, or to something else?

(15 Feb '16, 13:56) Guy Harris ♦♦

Hello Guy, yes the "Linux usbmon text format" outputs a text string, which would work well over an ASCII UART console interface.

However as far as I can see there isn't a way of capturing this and inputting it into wireshark? Maybe I've missed something?

Hence, I'm wondering if there is a way of converting it into a format that wireshark accepts?

thanks

(15 Feb '16, 16:09) neilh

One Answer:

0

I don't know of any converter program that exists now, but libpcap 1) can capture on Linux USB if it only gets the text format (the binary format is better, but it does handle the text format) and 2) libpcap obviously handles pcap, so somebody could start with the usb_read_linux() routine in libpcap's pcap-usb-linux.c and turn it into something that reads the text format and writes out a pcap file with a link-layer header type of LINKTYPE_USB_LINUX.

Other possibilities are:

  • write a module for libpcap that duplicates what pcap-usb-linux.c does, but does it reading from a text file rather than reading from the Linux text USB capture device, and build Wireshark using that version of libpcap - that'd allow you to directly capture from the serial port in Wireshark (or any other program built with that version of libpcap);
  • write an "extcap" program that does much the same, and have Wireshark use that to capture.

Unfortunately, there's not much in the way of documentation for either of those two processes; the first doesn't let you do that as a plugin (libpcap currently doesn't support plugin modules, so you'd need to build libpcap from scratch and link programs with it), and the latter does but isn't well documented (and requires Wireshark 2.x).

answered 15 Feb '16, 16:22

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Hi Guy, many thanks for the quick response. I was just checking to see if I had missed anything for an easy solution. Thanks for the pointers, I'm also looking at another couple of options. If I can figure out a way through the ASCII stream (Zmodem) then maybe I can also make the binary pcap work. Thanks again.

(15 Feb '16, 16:56) neilh