Wireshark-users: Re: [Wireshark-users] "capture raw USB traffic" functionality not working?
From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 26 Sep 2007 06:56:02 +0200
Hi,

Never tried it myself, but this caught my eye on the Wiki page:
"The latest libpcap CVS (not an 0.9.x release or earlier release) is required for capturing raw USB traffic."

Thanx,
Jaap

Joshua Pollack wrote:
Hi,

I'm interested in using Wireshark to capture raw USB traffic, but I
can't seem to get this feature to work.  Has anyone on this list ever
managed to do this before?

The page on the wiki
http://wiki.wireshark.org/CaptureSetup/USB

says that to use this, you must load the usbmon kernel module, which
lets you get access to the data via debugfs, and also mount debugfs at
/sys/kernel/debug.  It says that once these steps have been taken,
that devices looking like 'usbX' should show up in Wireshark's
"Capture Interfaces" dialog.

I've tried these steps and have no such device showing.

I've confirmed that usbmon is doing what I thought it to be doing,
when I cat /sys/kernel/debug/usbmom/1u, I get the traffic off that
bus.

My question is, has anyone else used this feature before?  How did you
enable it?  I tried with both the Wireshark provided by debian and one
I built from source (both 0.99.6).  I've tried this on kernel 2.6.18
as well as 2.6.22 (since the \du interface appeared with 2.6.21) Both
of them I tried with libpcap (0.9.7).  Is there some debug output I
could be reading which might indicate why I can't capture from USB?

If anyone has gotten this to work before I'd be interested in the
configuration details so i can try to reproduce it.

Thanks,
Joshua