Search My Blog

Thursday, March 19, 2009

bert’s blog » Blog Archive » USB sniffing on linux

USB sniffing on linux

March 18th, 2009

The linux kernel has a facility called "usbmon" which can be used to sniff the USB bus. It's been in there for ages, and the output is really easy to collect, even from the command line shell. Simply mount debugfs and insmod the usbmon module:

mount -t debugfs none_debugs /sys/kernel/debug modprobe usbmon 

Then you can just cat USB traffic like this:

cat /sys/kernel/debug/usbmon/1u 

It all comes out in an ASCII dump format which is easily parsed. Every USB bus also has a device file where you can sniff the raw packets straight off the wire. More info in the usbmon documentation.

But while it's all easily parsed if you need it, there aren't really any tools around that do it for you. That is… except for libpcap. Libpcap is the power behind the throne of the venerable tcpdump tool. Tcpdump is not much more than a command line parser and pretty-printer of various network protocols. The heavy duty lifting is done by libpcap, not least by providing a cross-platform API for sniffing devices, something that is otherwise non-standard and different on every platform. It's great, I've used it before (in capstats) and it's very easy to use.

Skipping on down...

You need relatively recent versions of libpcap, tcpdump and wireshark for this. I compiled all three of these out of their respective repositories (easy compile all). On my ubuntu system, the libpcap version was particularly old. Tcpdump doesn't have a pretty-printer for USB data yet, so you can only dump to a capture file for processing by wireshark.

Read more...

http://biot.com/blog/usb-sniffing-on-linux

Don

1 comment:

Anonymous said...

Hello! :)