Skip to content
/ usbcap Public

This is a simple tool to selectively capture data from linux' usbmon interface.

License

GPL-2.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

anszom/usbcap

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.gitignore
.gitignore
 
 
COPYING
COPYING
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
usbcap.c
usbcap.c
 
 

Repository files navigation

usbcap

This is a simple tool to selectively capture data from linux' usbmon interface.

A regular capture using tcpdump/dumpcap/wireshark returns all traffic from a single USB host, which can be very noisy at times. This tool allows you to filter data by usb device number or VID/PID pair.

Captured data is output to stdout in pcap format, it can be redirected to a file or piped to tcpdump in order to display captured data. It should also be possible to configure wireshark to read from usbcap, but I haven't tried it.

Running

The basic invocation options are:

./usbcap -i usbmonX [filter]
./usbcap -r usbmon.pcap [filter]

The first variant opens a live capture interface (obviously you need to have the usbmon module loaded and permission to open the capture interface). The second variant reads data from a pcap-formatted file.

The filter can be either a decimal USB device address (such as 123) or hexadecimal vid:pid pair (such as 0123:4567). Filtering by device address is straightforward, filtering by vid:pid requires that the tool is able to capture the GET DEVICE DESCRIPTOR request. For some reason, libpcap triggers such requests (if permissions allow), so usually you should have no problem with this limitation. Re-plugging the device is also a sure way to trigger detection. After the device is detected, it's followed by its address, currently only one device will be tracked even if multiple devices with the same vid/pid are connected.

If the filter is empty, all packets are returned, this is equivalent to

tcpdump -i usbmonX -s 128 -w -

Examples

Capturing data from a USB mouse (by address):

# lsusb
...
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 002: ID 046d:c077 Logitech, Inc. M105 Optical Mouse <- here 002 is the device address
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
...
# ./usbcap -i usbmon1 2 | tcpdump -r - -x
Capturing device 2
Reading from file -, link-type USB_LINUX_MMAPPED (USB with padded Linux header)
20:34:46.632906 CONTROL SUBMIT to 1:2:0
20:34:46.633417 CONTROL COMPLETE from 1:2:0
	0x0000:  1201 0002 0000 0008 6d04 77c0 0072 0102
	0x0010:  0001
20:34:48.997711 INTERRUPT COMPLETE to 1:2:1
	0x0000:  0001 0100
...

By ID:

# ./usbcap -i usbmon1 046d:c077 | tcpdump -r - -x
Waiting for device 046d:c077
Now capturing device 2
reading from file -, link-type USB_LINUX_MMAPPED (USB with padded Linux header)
20:35:10.605437 CONTROL COMPLETE from 1:2:0
	0x0000:  1201 0002 0000 0008 6d04 77c0 0072 0102
	0x0010:  0001
20:35:11.253579 INTERRUPT COMPLETE to 1:2:1
	0x0000:  0001 0100
20:35:11.253607 INTERRUPT SUBMIT from 1:2:1
20:35:11.269558 INTERRUPT COMPLETE to 1:2:1
	0x0000:  0001 0100

About

This is a simple tool to selectively capture data from linux' usbmon interface.

Resources

Readme

License

GPL-2.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages