How to dump USB traffic?
Solution 1
You can capture USB traffic with Wireshark.
From its wiki:
To dump USB traffic on Linux, you need the
usbmon
module, which has existed since Linux 2.6.11. Information on that module is available in/usr/src/linux/Documentation/usb/usbmon.txt
in the Linux source tree. Depending on the distribution you're using, and the version of that distribution, that module might be built into the kernel, or might be a loadable module; if it's a loadable module, depending on the distribution you're using, and the version of that distribution, it might or might not be loaded for you. If it's a loadable module, and not loaded, you will have to load it with the commandmodprobe usbmon
which must be run as root.
libpcap releases prior to 1.0 do not include USB support, so you will need at least libpcap 1.0.0.
For versions of the kernel prior to 2.6.21, the only USB traffic capture mechanism available is a text-based mechanism that limits the total amount of data captured for each raw USB block to about 30 bytes. There is no way to change this without patching the kernel. If debugfs is not already mounted on
/sys/kernel/debug
, ensure that it is mounted there by issuing the following command as root:mount -t debugfs / /sys/kernel/debug
For kernel version 2.6.21 and later, there is a binary protocol for tracing USB packets which doesn't have that size limitation. For that kernel version, you will need libpcap 1.1.0 or newer, because the libpcap 1.0.x USB support uses, but does not correctly handle, the memory-mapped mechanism for USB traffic, which libpcap will use if available - it cannot be made unavailable, so libpcap will always use it.
In libpcap 1.0.x, the devices for capturing on USB have the name
usbn
, where n is the number of the bus. In libpcap 1.1.0 and later, they have the nameusbmonn
.You will also need a Wireshark 1.2.x or newer.
Solution 2
Updating because this was the first result I found when I looked this up. The best method I've found on Debian Stretch is as follows:
# usbhid-dump --entity=all
That will dump the data incoming from all USB devices. Picked up my keyboard like a treat, and I can read every opcode in the stream.
Related videos on Youtube
user2485710
Updated on September 18, 2022Comments
-
user2485710 over 1 year
I got an USB gamepad and I would like to see and inspect the signals and commands that this peripherals is actually sending to my PC/kernel: how I can do that ?
I was assuming that something like
cat /dev/bus/usb/006/003
Was enough, but apparently this command returns immediately and prints some unreadable encoded chars .
There is a way to "debug" an USB device like that ?
-
Philippe De Muyter almost 3 yearsAs its name implies, usbhid-dump works only for 'HID' USB devices, not for other types of USB devices.