This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Unable to capture USBPCAP trace with Wireshark Command Line with extcap built.

0

.\Wireshark.exe -i 3 -k -w a.pcap Using this command on Wireshark to capture USB traffic - .\Wireshark.exe -i 8 -k -w a.pcap - throws an Error "ERROR READING FROM PIPE:THIS OPERATION RETURNED BECAUSE THE TIMEOUT PERIOD EXPIRED (error 1460)"

Using Wireshark GUI - When double clicked on the Interface name (USBPCAP3) the same error is observed using Wireshark GUI.

Only when i click on the extCap capture options i.e the round circular black button next to the interface, it asks to start the trace and on clicking start it works and captures the packets.

Please let me know as to how do i capture packets from USB using Wireshark Command Line.

Thanks Abhinand

asked 26 Sep '16, 04:13

abhierao's gravatar image

abhierao
6113
accept rate: 0%

edited 26 Sep '16, 05:05

grahamb's gravatar image

grahamb ♦
19.8k330206

2 Answers:

1

This is bug 12846 which has been marked as resolved and fixed today, so we can expect the fix to become part of the next stable release.

answered 26 Sep '16, 08:03

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

I did raise a Bug also they did mark it as a duplicate of 12846 and provided me with a new exe, its working fine with the new version, thanks.

When used Tshark.exe -i 8 -w a.pcap - The same error returns this is probably a Bug which needs FIX.

(26 Sep '16, 23:04) abhierao

Download the new version from here to fix the above problem - https://www.wireshark.org/download/automated/win64/Wireshark-win64-2.3.0-850-g73a0ee0.exe

NOTE : Tshark.exe -i 8 -w a.pcap - doesn't work with this build. Wireshark.exe command line works well. - Wireshark.exe -i 8 -k -w a.pcap

Thanks Abhinand

(26 Sep '16, 23:08) abhierao

@abhierao, please provide the output of tshark.exe -D, because from just -i 3 and -i 8 it is not clear what interface types the 3 and 8 represent, so it is hard to say whether it is the same issue or a different one.

(26 Sep '16, 23:12) sindy

Requested output:

C:\Program Files\Wireshark>tshark.exe -D

** (tshark.exe:3908): WARNING **: No such preference "extcap.____usbpcap3.devices" at line 367 of
C:\Users\sandisk\AppData\Roaming\Wireshark\preferences (save preferences to remove this warning)


** (tshark.exe:3908): WARNING **: No such preference "extcap.____usbpcap1.devices" at line 407 of
C:\Users\sandisk\AppData\Roaming\Wireshark\preferences (save preferences to remove this warning)


    

  1. \Device\NPF_{9B098323-011F-469A-B256-FA2AA31034ED} (Bluetooth Network Connection)
    2. 

  2. \Device\NPF_{337CAB15-451E-434E-94D4-D691228A096C} (Wireless Network Connection 2)
    3. 

  3. \Device\NPF_{F647C413-A878-43BF-AF0F-BC848D6A1359} (Wireless Network Connection)
    4. 

  4. \Device\NPF_{CB16933C-1DCA-461B-A5B5-334D69669EAD} (Wireless Network Connection 3)
    5. 

  5. \Device\NPF_{B508384C-DAFC-4C50-B0A4-3C5C8C062864} (Local Area Connection)
    6. 

  6. \.\USBPcap1 (USBPcap1)
    7. 

  7. \.\USBPcap2 (USBPcap2)
    8. 

  8. \.\USBPcap3 (USBPcap3)
    9. 

  9. cisco (Cisco remote capture)
    10. 

  10. randpkt (Random packet generator)
    11. 

  11. ssh (SSH remote capture)
    12. 

  12. udpdump (UDP Listener remote capture)
    13. 



C:\Program Files\Wireshark>tshark.exe -i 8 -w cmd.pcap


** (tshark.exe:1248): WARNING **: No such preference "extcap.____usbpcap3.devices" at line 367 of
C:\Users\sandisk\AppData\Roaming\Wireshark\preferences (save preferences to remove this warning)


** (tshark.exe:1248): WARNING **: No such preference "extcap.____usbpcap1.devices" at line 407 of
C:\Users\sandisk\AppData\Roaming\Wireshark\preferences (save preferences to remove this warning)
Capturing on 'USBPcap3'
tshark: Error reading from pipe: This operation returned because the timeout period expired.
(error 1460)


tshark: Error by extcap pipe: C:\Program Files\Wireshark\extcap\USBPcapCMD.exe: –devices: option requires an option argument


C:\Program Files\Wireshark>
(26 Sep ‘16, 23:47) abhierao
  1. .\USBPcap3 (USBPcap3) - USB Drive is interface number 8 ; when given i = 3 i.e Wireless network it works without any problem
(26 Sep ‘16, 23:48) abhierao

OK, now it makes more sense to me. Assuming you observe this behaviour while using the snapshot version, please provide your output of tshark.exe -i 8 -w cmd.pcap as above as a comment to bug 12846, stating that it is obtained using the snapshot version (Wireshark-win64-2.3.0-850-g73a0ee0.exe) and that in that version the issue survives in tshark.

I’m afraid that when testing, Pascal may have saved the preferences while in Wireshark, effectively hiding the issue of tshark as both use the same preferences file.

(27 Sep ‘16, 00:29) sindy
showing 5 of 6 show 1 more comments

1

For reference, the issue with Wireshark GUI was tracked by bug 12846 that was fixed on the 18th of September.

The issue with tshark was tracked by bug 12949 and was fixed today.

Both will be part of Wireshark 2.2.1 once it is released.

answered 27 Sep '16, 13:57

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%