Hi, there are lot of examples for capture filtering at http://wiki.wireshark.org/CaptureFilters but unfortunately none of them is referred to usb. Shall you give me an example, please?
asked 18 Aug '14, 10:41
edited 18 Aug '14, 10:42
You can't use a capture filter on USB data, as that's not implemented by libpcap (and/or usbmon), the capture library of Wireshark. The reason: libpcap uses BPF (Berkely Packet Filter) to implement capture filters and that works mainly for network protocols. So, no USB data capture filtering without a a massive rewrite of libpcap.
As a result, you can use display filters for USB traffic in Wireshark and/or tshark, but not capture filters.
answered 25 Aug '14, 16:04
Kurt Knochner ♦
Thanks, Kurt! But how can I capture the registering traffic? I guess I have to have my device disconnected, then start Wireshark to see registering progress. However, at the moment of starting Wireshark it is not known what address will be given by operating system. What capture filter can be used then?
Perhaps the Wireshark USB capture setup wiki page will be of use to you?
I don't believe you will be able to do what you are trying to with a standard PC and Wireshark. That's what special USB capture devices are made for, especially if you want to monitor the phase while the USB device is connected to the PC.
if you are using Windows, you can follow the USBPcap guide found here: http://desowin.org/usbpcap/tour.html . As the device will always connect to the same root hub, you will be able to see the enumeration. I guess you should be able to do more or less the same thing with usbmon (as I already saw some Linux captures with the device enumeration).