Using Wireshark to sniff USB Packets

stealth86 · #1 25th February 2008, 10:04 PM

Has anyone tried to use Wireshark to sniff USB packets in Fedora?

I was following the instructions found here.

I've followed all of the instructions successfully up to `modprobe usbmon`, which fails with FATAL: Module usbmon not found.

Can anyone point me in the right direction here?

Alternatively, if you know of a way to capture usb packets other than wireshark that would be helpful too!

Thanks all.

stevea · #2 26th February 2008, 03:33 AM

This command
grep USB_MON /boot/config*
produces
/boot/config-2.6.23.15-137.fc8

ONFIG_USB_MON=y
The 'y' (as opposed to an 'm') means that the module is built into the kernel and does not need to be modprobe'd. So just ignore the direction to use modprobe.

Note that you will have to get the latest libpcap and rebuild wireshark on this. The wireshark delivered with F8 uses "libpcap.so.0.9 => /usr/lib/libpcap.so.0.9 (0x03785000)" which will not support the new interface for USB.

You can still do this ...
mount -t debugfs / /sys/kernel/debug
cat /sys/kernel/debug/usbmon/0u # my usb mouse ...

c2990a00 533295389 S Ii:3:006:1 -115:8 7 <
c2990a00 533303348 C Ii:3:006:1 0:8 7 = 000006e0 ff0000
c2990a00 533303363 S Ii:3:006:1 -115:8 7 <
c2990a00 533311356 C Ii:3:006:1 0:8 7 = 000003f0 ff0000
c2990a00 533311392 S Ii:3:006:1 -115:8 7 <
c2990a00 533319354 C Ii:3:006:1 0:8 7 = 000002f0 ff0000
c2990a00 533319383 S Ii:3:006:1 -115:8 7 <
c2990a00 533327344 C Ii:3:006:1 0:8 7 = 000001f0 ff0000
c2990a00 533327355 S Ii:3:006:1 -115:8 7 <
c2990a00 533335341 C Ii:3:006:1 0:8 7 = 000001f0 ff0000
c2990a00 533335357 S Ii:3:006:1 -115:8 7 <
c2990a00 533343350 C Ii:3:006:1 0:8 7 = 000001f0 ff0000
c2990a00 533343389 S Ii:3:006:1 -115:8 7 <
c2990a00 533351348 C Ii:3:006:1 0:8 7 = 000003f0 ff0000
c2990a00 533351372 S Ii:3:006:1 -115:8 7 <
c2990a00 533359341 C Ii:3:006:1 0:8 7 = 000002f0 ff0000
c2990a00 533359351 S Ii:3:006:1 -115:8 7 <
c2990a00 533367347 C Ii:3:006:1 0:8 7 = 000001e0 ff0000
c2990a00 533367382 S Ii:3:006:1 -115:8 7 <
c2990a00 533375347 C Ii:3:006:1 0:8 7 = 000003e0 ff0000
c2990a00 533375382 S Ii:3:006:1 -115:8 7 <
c2990a00 533383338 C Ii:3:006:1 0:8 7 = 000001f0 ff0000

stealth86 · #3 26th February 2008, 03:57 PM

Quote:

Originally Posted by stevea

The wireshark delivered with F8 uses "libpcap.so.0.9 => /usr/lib/libpcap.so.0.9 (0x03785000)" which will not support the new interface for USB.

That was the key. I did get the latest libpcap, but I just installed wireshark with yum.

Thanks!

MrUmunhum · #4 30th July 2010, 03:23 AM

Quote:

Originally Posted by stevea

You can still do this ...
mount -t debugfs / /sys/kernel/debug
cat /sys/kernel/debug/usbmon/0u # my usb mouse ...

c2990a00 533295389 S Ii:3:006:1 -115:8 7 <
c2990a00 533303348 C Ii:3:006:1 0:8 7 = 000006e0 ff0000
. . .

How do you determine what name to use? I tried plugging in a USB Stick but don't any added devices in /sys/kernel/debug/usbmon.
They show up in lsusb.

***Dan*** · #5 30th July 2010, 03:44 AM

This thread is over two years old. Probably better to start a new one than dig this out of the bone yard.