This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how can I precisely specify a USB device to capture with tshark?

0

I have a USB instrument, and I want to capture packets on it. I ran .\tshark.exe -D and the USB interface is number 6. then I ran the command: .\tshark.exe -c 100 -i 6 it seemed to capture the USB traffic from my device. Then it occurred to me, that when this device is running, there may be multiple USB devices, hooked up to the system, and just specifying might not be enough. I know the Device ID(0x0009), and Vendor ID(0x08f7) how can I specify the exact device I want to capture, via tshark?

I see a -f <capture filter=""> Set the capture filter expression option, and some network examples but this doesn't include any USB packet capture examples.

asked 07 Jul '16, 17:21

Eric%20Lovejoy's gravatar image

Eric Lovejoy
1445
accept rate: 0%

edited 09 Jul '16, 12:11

sindy's gravatar image

sindy
6.0k4851

One Answer:

1

Simply put, there is no capture filter available for usb capturing, except the root hub (or "bus") number. This number translates into a capturing interface name if you use the extcap API to control the USBPcap, which is what you seem to be doing as you've provided a tshark ... command line rather than USBPcap ... command line. So in your case, as tsharks returns just a single USB interface to capture at, there is just a single root hub in the PC.

During USB enumeration phase, each USB device detected is assigned an ID like m.n, where m is the root hub number and n is the order number of the device to be identified. If you unplug a device and plug it again to the same physical port, it will keep the m but get a new n. In your case with a single root hub, m will always be 1.

The VID and PID (vendor ID and product ID) are only used to identify the device and choose a proper driver for it during the so-called enumeration phase. So unless you capture the enumeration phase (i.e. unless you start capturing on the proper root hub before plugging the device in), you won't capture the VID and PID at all.

So your only chance is to use a display filter. There, you can use the full usb addresses of the endpoints of the devices (usb.addr == "m.n.e" where e is the endpoint id) to see only the packets (actually, URBs, it is a difference!) to/from a particular endpoint of a particular device, or you can filter for m and n combination only (i.e. URBs to/from all endpoints of a device) using usb.bus_id == m and usb.device_address == n.

If you did capture the enumeration phase, a display filter usb.idVendor and usb.idProduct will show you all packets that contain the VID:PID pairs, and you can use these packets to map these VID:PID pairs to the m.n device addresses (the packets that contain the VID and PID always come from endpoint 0).

A display filter can be used already during capture, but it only prevents the non-matching URBs from being displayed, not from being captured. So in Wireshark, you have to use File->Export Specified Packets->Displayed to save only the packets matching the display filter expression to a new pcap file; in tshark, specifying the display filter expression using -Y and the output file using -w should do the trick (as with tshark, the display filter affects what is written to the output pcap file), but with tshark, you won't know the m and n in advance unless you first run tshark with -Y "usb.idVendor and usb.idProduct" and no -w before plugging the device in, to see the VID:PID to m.n mapping in the text form, followed by another tshark run with -Y "usb.bus_id == m and usb.device_address == n" and the -w causing the writing of the filtered captured data to a file.

answered 08 Jul '16, 15:41

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 09 Jul '16, 12:10