As per the title: can Wireshark capture USB data without truncation to 48 bytes?
I understand that this is a limitation of usbmon - whether it's a hard limit that can never be breached, I don't know, hence the question. But truncating the data to 48 bytes renders the capture useless for my present purposes.
asked 26 Sep '16, 08:34
edited 26 Sep '16, 13:36
Guy Harris ♦♦
Wireshark on Linux can capture USB traffic without truncating it to 48 bytes, kernel 4.4 is new enough such that you do not have to worry about the historical limitation. Are you sure that your device is not sending less? While comparing libpcap versions is an option, to be absolutely sure you can first whether the kernel gives actually gives you data.
So, check whether the kernel (USB device) really returns more than 48 bytes. To do so, either access the device nodes in debugfs (
Pay especially attention to the number before the equals sign. This is the actual data length. For the textual output in debugfs, the data after
You can run the above experiment while capturing with
answered 14 Oct '16, 14:29