This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Analysing USB traffic

1
2

I've captured USB traffic using Wireshark, but I'm finding it difficult to analyse. Most of my useful data lies in hundreds of URB_BULK in/out packets (too many to browse through one by one). I'm specifically interested in the actual data sent over USB, not the headers.

For TCP/IP data, I've found the "Follow TCP stream" function very useful to view the entire "coversation" between the host and the client, but there doesn't seem to be anything similar for USB.

What is the best way to view the entire "conversation" of all the USB data?

My best solution so far is to use tshark -x -r mydata.pcap to dump the file, then I get something like the following:

460  11.863947         host -> 3.1          USB 64 URB_BULK in

0000 00 f6 94 c0 00 88 ff ff 53 03 81 03 06 00 2d 3c ……..S…..-< 0010 ad c8 b3 4f 00 00 00 00 96 a8 0c 00 8d ff ff ff …O………… 0020 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 0030 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 …………….

461 11.864934 3.1 -> host USB 77 URB_BULK in

0000 00 f6 94 c0 00 88 ff ff 43 03 81 03 06 00 2d 00 ……..C…..-. 0010 ad c8 b3 4f 00 00 00 00 71 ac 0c 00 00 00 00 00 …O….q……. 0020 0d 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 ……………. 0030 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 ……………. 0040 a4 09 50 60 00 00 00 00 00 ff ff 09 94 ..P`………

asked 16 May ‘12, 09:15

Ralf%20Kistner's gravatar image

Ralf Kistner
16125
accept rate: 100%


2 Answers:

0

These are the steps I followed to make the data usable:

  1. Filter out the irrelevant data. Kurt's answer helped a lot here. Select a message, find a field you need to filter on, right-click on the field and select "Apply as Filter". To filter on multiple fields, join them with and. In my case I was only interested in fields containing data, and only from a single device, so my filter looks like this:

    usb.data_flag == "present (0)" && usb.device_address == 3

    As I only monitored a single bus, I did not need to filter out the bus.

  2. Display useful columns. The default columns are not extremely useful, so I changed them to the following. The important one here is the "Leftover Capture Data".

    No.  (default column)
    Time  (default column)
    Source  (default column)
    Data length [bytes] (instead of length)
    Leftover Capture Data (the actual data as hex)

    To remove the redundant default columns, simply right-click and select remove. To add more columns, find the relevant field in the packet details, right click and select "Apply Column".

  3. (Optional) Export as text file. Once the filters and columns are configured, the data can be exported to a nice text format, to allow for easy search and copy/paste functionality. File -> Export -> as "Plain Text" file. Select "Displayed" instead of "Captured" to use the filters. Select only "Packet summary line" and not "Packet details" or "Packet bytes" for a nice and compact format. My output now looks as follows, containing only the relevant output:

    No.     Time        Source                Data length [bytes] Leftover Capture Data
         29 3.568506    host                  8                   a402440003e10000
         30 3.568930    3.1                   7                   a40340004400a3
         33 3.570528    host                  8                   a402450041a20000
         35 3.571931    3.1                   7                   a40340004500a2

Disclaimer: I know little about USB, so this might not be useful in the general case. In my case I'm only interested in the data (payload) sent with URB_BULK, and not any other data or headers.

answered 17 May '12, 13:47

Ralf%20Kistner's gravatar image

Ralf Kistner
16125
accept rate: 100%

edited 17 May '12, 14:13

1

You could (display) filter on the device and bus ID:

usb.device_address eq 8 and usb.bus_id eq 1

This will show only the communication between that devive and the host.

What is the best way to view the entire "conversation" of all the USB data?

Do you mean a text representation of the exchanged data? If yes, then there is nothing I know of.

Regards
Kurt

answered 16 May '12, 11:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 16 May '12, 11:11

Thanks, the filter helps cutting away some of the non-relevant data at least. Is there a filter to only show the URB_BULK in/out data?

Yes, I mean viewing the exchanged data (excluding headers) in hex and/or ASCII format.

(16 May '12, 13:36) Ralf Kistner
1

Is there a filter to only show the URB_BULK in/out data?

Just open a USB packet and select any item. You will see the display filter in the status line at the bottom of the window. With that you should be able to build any filter you need.

(16 May '12, 15:48) Kurt Knochner ♦