Friday, March 9, 2012

Capturing USB data through Wireshark

1)Install Wireshark through Update Manager.

2)Enable usbmon through below commands

#mount -t debugfs none_debugs /sys/kernel/debug
 
#modprobe usbmon
 
#ls /sys/kernel/debug/usb/usbmon
0s  0u  1s  1t  1u  2s  2t  2u  3s  3t  3u  4s  4t  4u 


3)Check the USB devices through tshark
#sudo tshark -D

E.g:
#sudo tshark -D
tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:45: dofile has been disabled
1. eth0
2. wlan0
3. usbmon1 (USB bus number 1)
4. usbmon2 (USB bus number 2)
5. usbmon3 (USB bus number 3)
6. usbmon4 (USB bus number 4)
7. any (Pseudo-device that captures on all interfaces)
8. lo

4)List of de-vices connected can be seen through the command
#usb-devices

5)
If the device is connected to usb2,then to capture through wireshark command has below:

#sudo tshark -i usbmon2 -w 1.pcap

Open the capture file through Wireshark GUI.

No comments:

Post a Comment