How to dump USB traffic?
You can capture USB traffic with Wireshark.
From its wiki:
To dump USB traffic on Linux, you need the
usbmon
module, which has existed since Linux 2.6.11. Information on that module is available in/usr/src/linux/Documentation/usb/usbmon.txt
in the Linux source tree. Depending on the distribution you're using, and the version of that distribution, that module might be built into the kernel, or might be a loadable module; if it's a loadable module, depending on the distribution you're using, and the version of that distribution, it might or might not be loaded for you. If it's a loadable module, and not loaded, you will have to load it with the commandmodprobe usbmon
which must be run as root.
libpcap releases prior to 1.0 do not include USB support, so you will need at least libpcap 1.0.0.
For versions of the kernel prior to 2.6.21, the only USB traffic capture mechanism available is a text-based mechanism that limits the total amount of data captured for each raw USB block to about 30 bytes. There is no way to change this without patching the kernel. If debugfs is not already mounted on
/sys/kernel/debug
, ensure that it is mounted there by issuing the following command as root:mount -t debugfs / /sys/kernel/debug
For kernel version 2.6.21 and later, there is a binary protocol for tracing USB packets which doesn't have that size limitation. For that kernel version, you will need libpcap 1.1.0 or newer, because the libpcap 1.0.x USB support uses, but does not correctly handle, the memory-mapped mechanism for USB traffic, which libpcap will use if available - it cannot be made unavailable, so libpcap will always use it.
In libpcap 1.0.x, the devices for capturing on USB have the name
usbn
, where n is the number of the bus. In libpcap 1.1.0 and later, they have the nameusbmonn
.You will also need a Wireshark 1.2.x or newer.