Wireshark-users: Re: [Wireshark-users] How to re-assemble contents of a USB upload?
From: Chris Maynard <Chris.Maynard@xxxxxxxxx>
Date: Tue, 28 Jun 2011 20:33:01 +0000 (UTC)
Svenn Are Bjerkem <svenn.bjerkem@...> writes:

> I understand that wireshark and its commandline tools have features
> which can help me most of the way, maybe all the way, but it is a
> complex matter to find the right use of a program from its man file,
> and I thought maybe somebody on this list had already done something
> like this or close to this and would be kind enough to help me out
> with the right options for the right programs.

Maybe something like the following will help you?

tshark -r yourusbcapturefile.pcap -R "usb.transfer_type == 3 &&
usb.endpoint_number.direction == 0 && usb.device_address == 0x40" -T fields -e
usb.capdata