Welcome to my site. Please CLICK HERE to give your opinions regarding this new look of "PCTipsbyAnu". Thanks for visiting.

Monday, April 4, 2011

Browse » Home » , , , , , , , , » USB sniffing on linux

USB sniffing on linux

The linux kernel has a facility called “usbmon” which can be used to sniff the USB bus. It’s been in there for ages, and the output isreally easy to collect, even from the command line shell.
Simply and mountdebugfsinsmod the usbmon module:
mount -t debugfs none_debugs /sys/kernel/debug
modprobe usbmon
Then you can just cat USB traffic like this:
cat /sys/kernel/debug/usbmon/1u
Itall comes out in an ASCII dump format which is easily parsed. Every USBbus also has a device file where you can sniff the raw packets straightoff the wire.
More info in the usbmon documentation.

Butwhile it’s all easily parsed if you need it, there aren’t really anytools around that do it for you. That is… except for libpcap. Libpcapis the power behind the throne of the venerable tcpdumptool. Tcpdump is not much more than a command line parser andpretty-printer of various network protocols. The heavy duty lifting isdone by libpcap, not least by providing a cross-platform API forsniffing devices, something that is otherwise non-standard anddifferent on every platform. It’s great, I’ve used it before (in capstats) and it’s very easy to use.
Libpcapon linux supports usbmon sniffing, which means you can use tcpdump tosniff a USB port and write this to a capture file. But best of all: wireshark, the all-singing all-dancing network analyzer that uses tcpdump capture files, has USB support as well.
So this is the result:

The screenshot shows a filter applied to only see device 18 on the sniffed USB bus. That’s an arduino,i.e. an FTDI USB-serial chip. The FTDI chips send status updates to theUSB host system every 16ms (!). The status update consists of atwo-byte message (described here).This is actually present in every packet coming in from the FTDI chip;status updates just don’t have any other data. So for a clean sniffingsession from the arduino, we want to filter out any packets that are <>
The end result is serial data which the arduino sent to the host system. The screenshot shows a session on my arduino shell, arsh.This is great stuff - wireshark includes a massive amount of analysistools and lots of options for filtering and otherwise massaging yourcaptured data.

You need relatively recent versions of libpcap,tcpdump and wireshark for this. I compiled all three of these out oftheir respective repositories (easy compile all). On my ubuntu system,the libpcap version was particularly old. Tcpdump doesn’t have apretty-printer for USB data yet, so you can only dump to a capture filefor processing by wireshark.

You can leave a response, or trackback from your own site.

About 'Anu': My name is 'Anu' also Known as 'ANU 007 TIGER' .I'm administrator of 'PC Tips by Anu' blog .This blog was opened for sharing contents about hacking n cracking.


Post a Comment

Back to Top