usb sniffing with wireshark

Asked 11/2, 2011 at 16:49 Answered 4/9, 2017 at 14:4

at the moment I am using usbmon to sniff usb. for better understandability I want to use wireshark. I've used wireshark before for sniffing ethernet packets. But what to capture to sniff USB Packets ? I meant I need to start by selecting which interface to capture in wireshark. but what wold I select there for usb ?

Minion answered 11/2, 2011 at 16:49 Comment(2)

From what I can tell, this is not currently possible with wireshark on windows. – Sweetsop 22/2, 2011 at 15:23

Wireshark can only sniff USB on Linux. The easiest way to sniff packets is to use vmware. vusb-analyzer.sourceforge.net/tutorial.html – Hallowell 1/12, 2013 at 17:25

Grab newest wireshark. Use lsusb before and after plugin in device so You know which usb bus its plugged into.

type in terminal:

su -c "modprobe usbmon" && su -c "wireshark"

(First load kernel module that allow for usb sniffing for root, second load wireshark as root)

Than select usbmonX, where X stand for usb bus number (lsusb show those numbers).

After than you still need to filter packets for device / vendor id, or something else device specific, as wireshark will show all packets from all devices plugged into that bus. (Again lsusb before/after plugging you device will help).

Restitution answered 28/4, 2013 at 11:55 Comment(1)

Running wireshark as root can be dangerous, better to set up additional wireshark user. It's done automatically on standard distributions like Fedora and Ubuntu. So installing wireshark with package manager would be the easiest solution, anyway you may come across problems with permissions like 'Can't open USB bus file /sys/kernel/debug/usb/usbmon/2t: Permission denied' this can be easily solved by setting few permissions to files. Manual here: ludovicrousseau.blogspot.com/2014/10/… – Angieangil 10/10, 2015 at 17:53

Have you taken a look at the documentation for that on the Wireshark website?

In libpcap 1.0.x, the devices for capturing on USB have the name usbn, where n is the number of the bus. In libpcap 1.1.0 and later, they have the name usbmonn.

Protozoon answered 11/2, 2011 at 19:54 Comment(2)

Sorry But I still didn't understand. I want to listen to the conversation with My Pen Drive, or with my USB Keyboard. There are 3 options to start capturing etc0, ppp0, lo, then how can I get the USB Conversation – Minion 12/2, 2011 at 10:52

Upgrade to the latest version of libpcap (and/or probably your Linux distribution), and then use Wireshark to capture on the interfaces with names similar to "usbmon1". – Linesman 23/7, 2011 at 14:24

a quick notice since I just started using wireshark to sniff usb packets on linux. as I understand you need usbmon module loaded (which if you are using it should be). Additionally I seem to recall that while wireshark can be setup to let non root users sniff ethernet packets, some limitation required root access for usb packs (at least at the time of writting). Similar to what others have said, on my system, Ubuntu 12.10, the usb interfaces have names like "usbmon1 USB bus number 1" and so forth. (you might look at http://biot.com/blog/usb-sniffing-on-linux) the link listed has an image showing a filter which can be used to select only traffic to from a device number (from lsusb).

I hope thats helpful

Revels answered 23/10, 2013 at 21:54 Comment(0)

@przemo_li You want to filter by device address to see the communication from both the host and the device. The filter for that is usb.device_address ==.

Bastille answered 4/9, 2017 at 14:4 Comment(0)

Recommended topics

Hot tags