September 17, 2017

Wireshark and USB

On my fedora system, hardly anything could be easier. Just run wireshark and select one of the usbmon interfaces. On my system I see usbmon1, 2, 3, and 4. Some old instructions indicate that I need to load the usbmon driver, but I have not found this to be true.

I want to watch my CP2102 usb to serial dongle enumerate. The first USB port I plugged it into yielded traffic on usbmon1, which seems to be the same bus that has my mouse. I moved to a different port on the front of my PC and now the traffic is all by itself on usbmon2, which makes things a lot easier. Now it is just a matter of understanding all of the traffic that gets captured. Just plugging in the CP2102 yields 86 new packets. Note that there is chatter between the host and the usb hub embedded in my PC, as well as traffic between the host and my target device.

It is possible to do a "file -- export" as plain text to get a dump to sift through with an editor.

The sad story though is that wireshark is not actually dumping what goes out on the wire. It is dumping URB (USB request blocks), which are linux kernel objects. Note that for each captured "packet", wireshark reports two events -- submit and completion (or submit and error). It all seems like total insanity to me, but maybe there is a way to make sense of it.


Feedback? Questions? Drop me a line!

Tom's Computer Info / [email protected]