Skip to content

Instantly share code, notes, and snippets.

@saper-2

saper-2/readme.md

Last active June 9, 2023 16:39
Show Gist options
  • Save saper-2/fb041e6d5d1501398f094e3d7d689100 to your computer and use it in GitHub Desktop.
Save saper-2/fb041e6d5d1501398f094e3d7d689100 to your computer and use it in GitHub Desktop.
Download ZIP
USB capture on linux and view on Wireshark over ssh
Raw
readme.md

This is easy, but to set it up for first time would need to look in few pages, here is everything in one place 😄

intro

I needed to sniff traffic on usb bus on my linux on which I was writting script for communicating with some usb device. So my setup is:

  • linux machine with usb device connected
  • Windows pc running wireshark

Linux setup (Debian based)

You'll need to install: tcpdump # apt get install tcpdump Next you'll have to enable root login via ssh, using password (really good password) or using ssh-keys.

Figure out which device you are interrested - it's easier to analyze packets in wireshark. Run lsusb:

root@t620:~ # lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 003: ID 0665:5161 Cypress Semiconductor USB to Serial
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

I'm interrested in 0665:5161, so I got bus number 003 and device number (since I have only one device on bus I'm not interrested).

Now switch to root and load usbmon kernel module that allow for capturing packets from USB:

# modprobe usbmon

Check if is loaded, you should get list in this path:

root@t620:~ # ls /sys/kernel/debug/usb/usbmon
0s  0u  1s  1t  1u  2s  2t  2u  3s  3t  3u  4s  4t  4u  5s  5t  5u  6s  6t  6u

Now check also if you get new usbmon devices in /dev , U should get few devices, 0 is for all usb buses, 1...x is for each bus:

root@t620:~ # ll /dev |grep usbmon
crw-r--r--+ 1 root root    244,   0 Jun  9 17:13 usbmon0
crw-r--r--+ 1 root root    244,   1 Jun  9 17:13 usbmon1
crw-r--r--+ 1 root root    244,   2 Jun  9 17:13 usbmon2
crw-r--r--+ 1 root root    244,   3 Jun  9 17:13 usbmon3
crw-r--r--+ 1 root root    244,   4 Jun  9 17:13 usbmon4
crw-r--r--+ 1 root root    244,   5 Jun  9 17:13 usbmon5
crw-r--r--+ 1 root root    244,   6 Jun  9 17:13 usbmon6

Check if tcpdump will see also usbmon devices as interface for capture:

root@t620:~ # tcpdump --list-interfaces
1.enp1s0 [Up, Running, Connected]
2.tun0 [Up, Running, Connected]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.lo [Up, Running, Loopback]
5.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
6.usbmon6 (Raw USB traffic, bus number 6)
7.usbmon5 (Raw USB traffic, bus number 5)
8.usbmon4 (Raw USB traffic, bus number 4)
9.usbmon3 (Raw USB traffic, bus number 3)
10.usbmon2 (Raw USB traffic, bus number 2)
11.usbmon1 (Raw USB traffic, bus number 1)
12.usbmon0 (Raw USB traffic, all USB buses) [none]
13.nflog (Linux netfilter log (NFLOG) interface) [none]
14.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
15.dbus-system (D-Bus system bus) [none]
16.dbus-session (D-Bus session bus) [none]

Windows setup

Install Wireshark and don't forget to enable to install also sshdump from additional tools (it's not selected by installer by default).

In wireshark you should see SSH remote capture interface, click gear beside it and fill out dialog - everything is self-explanatory, use root login and password/ssh_keys. Only thing that I should mention is for tab Capture: select tcpdump, and for remote interface enter only name usbmonX (e.g.:usbmon3 - in my case)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment