usbmon captures

Question

I captured usb traces using usbmon and got a raw ascii format as output. When I try to open (to analyze) the captures using wireshark, I get an error msg like "The file isn't a capture file in a format wireshark understands".

Answer 1

On my system, I do this:

modprobe usbmon
mount -t usbfs /dev/bus/usb /proc/bus/usb

After that, run "tshark -D" to list all the interfaces. You should see the usbmonX interfaces listed. You'll need to figure out which one is applicable to your device, but that shouldn't be too hard if you run "cat /proc/bus/usb/devices".

For example, if your device shows up as "Bus=04", then you need to capture using "tshark -i usbmon4". And of course, if you want to save the packets to a .pcap file, then you also need to specify "-w outfile".

You might also take a look at: http://wiki.wireshark.org/CaptureSetup/USB

Answer 2

The usbmon mechanism has several different modes - there's a pure-text mode, which, from "I captured usb traces using usbmon and got a raw ascii format as output.", I assume you used, and there's also a binary mode.

Wireshark doesn't support directly reading the text files generated by the text mode of usbmon. What it does support is the mechanism in libpcap that uses usbmon to capture on USB; that's what Chris Maynard (cmaynard) described. If you have libpcap 1.1.0 or later ("tshark -v", "wireshark -v", or the "About" item in the "Help" menu for Wireshark, should indicate what version of libpcap you have), you should be able to directly capture on USB with Wireshark or TShark. You can also capture with recent versions of tcpdump and have Wireshark read those captures (tcpdump can also read them, although its ability to dissect them is currently limited).