This is easy, but to set it up for first time would need to look in few pages, here is everything in one place 😄
I needed to sniff traffic on usb bus on my linux on which I was writting script for communicating with some usb device. So my setup is:
- linux machine with usb device connected
- Windows pc running wireshark
You'll need to install: tcpdump # apt get install tcpdump
Next you'll have to enable root login via ssh, using password (really good password) or using ssh-keys.
Figure out which device you are interrested - it's easier to analyze packets in wireshark. Run lsusb:
root@t620:~ # lsusb
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 003: ID 0665:5161 Cypress Semiconductor USB to Serial
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
I'm interrested in 0665:5161
, so I got bus number 003
and device number (since I have only one device on bus I'm not interrested).
Now switch to root and load usbmon kernel module that allow for capturing packets from USB:
# modprobe usbmon
Check if is loaded, you should get list in this path:
root@t620:~ # ls /sys/kernel/debug/usb/usbmon
0s 0u 1s 1t 1u 2s 2t 2u 3s 3t 3u 4s 4t 4u 5s 5t 5u 6s 6t 6u
Now check also if you get new usbmon devices in /dev , U should get few devices, 0 is for all usb buses, 1...x is for each bus:
root@t620:~ # ll /dev |grep usbmon
crw-r--r--+ 1 root root 244, 0 Jun 9 17:13 usbmon0
crw-r--r--+ 1 root root 244, 1 Jun 9 17:13 usbmon1
crw-r--r--+ 1 root root 244, 2 Jun 9 17:13 usbmon2
crw-r--r--+ 1 root root 244, 3 Jun 9 17:13 usbmon3
crw-r--r--+ 1 root root 244, 4 Jun 9 17:13 usbmon4
crw-r--r--+ 1 root root 244, 5 Jun 9 17:13 usbmon5
crw-r--r--+ 1 root root 244, 6 Jun 9 17:13 usbmon6
Check if tcpdump will see also usbmon devices as interface for capture:
root@t620:~ # tcpdump --list-interfaces
1.enp1s0 [Up, Running, Connected]
2.tun0 [Up, Running, Connected]
3.any (Pseudo-device that captures on all interfaces) [Up, Running]
4.lo [Up, Running, Loopback]
5.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
6.usbmon6 (Raw USB traffic, bus number 6)
7.usbmon5 (Raw USB traffic, bus number 5)
8.usbmon4 (Raw USB traffic, bus number 4)
9.usbmon3 (Raw USB traffic, bus number 3)
10.usbmon2 (Raw USB traffic, bus number 2)
11.usbmon1 (Raw USB traffic, bus number 1)
12.usbmon0 (Raw USB traffic, all USB buses) [none]
13.nflog (Linux netfilter log (NFLOG) interface) [none]
14.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
15.dbus-system (D-Bus system bus) [none]
16.dbus-session (D-Bus session bus) [none]
Install Wireshark and don't forget to enable to install also sshdump from additional tools (it's not selected by installer by default).
In wireshark you should see SSH remote capture interface, click gear beside it and fill out dialog - everything is self-explanatory, use root login and password/ssh_keys.
Only thing that I should mention is for tab Capture: select tcpdump, and for remote interface enter only name usbmonX (e.g.:usbmon3
- in my case)