Observing USB packets on Linux

# Observing USB packets on Linux ## 1. Work with [usbmon](https://www.kernel.org/doc/Documentation/usb/usbmon.txt) ### 1.1 Preparing Mount debugfs ``` sudo mount -t debugfs none /sys/kernel/debug ``` Hook the usbmon module ``` sudo modprobe usbmon ``` ### 1.2 Observing Get USB Device Port Number ``` lsusb ``` ```shell= jl81@jl81-desktop:~$ lsusb Bus 002 Device 004: ID 8564:4000 Transcend Information, Inc. RDF8 Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 008: ID 04d9:0201 Holtek Semiconductor, Inc. Bus 001 Device 007: ID 046d:c52b Logitech, Inc. Unifying Receiver Bus 001 Device 006: ID 0b95:6804 ASIX Electronics Corp. Bus 001 Device 030: ID 1a40:0101 Terminus Technology Inc. Hub Bus 001 Device 003: ID 1a40:0101 Terminus Technology Inc. Hub Bus 001 Device 018: ID 0bda:0153 Realtek Semiconductor Corp. Mass Storage Device Bus 001 Device 004: ID 8087:0aa7 Intel Corp. Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub ``` Suppose we are going to trace bus 2, port 4 ``` sudo cat /sys/kernel/debug/usb/usbmon/2u | grep 2:004 ``` ```shell= jl81@jl81-desktop:~$ sudo cat /sys/kernel/debug/usb/usbmon/2u | grep 2:004 ffff92ea7028fb40 2452226664 S Bo:2:004:2 -115 31 = 55534243 29010000 00000000 00000600 00000000 00000000 00000000 000000 ffff92ea7028fb40 2452226733 C Bo:2:004:2 0 31 > ffff92ea7028fb40 2452226988 S Bi:2:004:1 -115 13 < ffff92ea7028fb40 2452227033 C Bi:2:004:1 0 13 = 55534253 29010000 00000000 00 ffff92ea3f1a9c00 2452613335 S Co:2:004:0 s 00 01 0030 0000 0000 0 ffff92ea3f1a9c00 2452613735 C Co:2:004:0 0 0 ffff92ea3f1a9c00 2452613773 S Co:2:004:0 s 00 01 0031 0000 0000 0 ffff92ea3f1a9c00 2452614012 C Co:2:004:0 0 0 ffff92ea19fc4d80 2452758640 S Ci:2:004:0 s 80 06 0100 0000 0008 8 < ffff92ea19fc4d80 2452758894 C Ci:2:004:0 0 8 = 12010003 00000009 ffff92ea19fc4d80 2452759002 S Co:2:004:0 s 00 31 0028 0000 0000 0 ffff92ea19fc4d80 2452759306 C Co:2:004:0 0 0 ffff92e9f594b0c0 2452759352 S Ci:2:004:0 s 80 06 0100 0000 0012 18 < ffff92e9f594b0c0 2452759746 C Ci:2:004:0 0 18 = 12010003 00000009 64850040 37000304 0501 ffff92e9f594b0c0 2452759794 S Ci:2:004:0 s 80 06 0f00 0000 0005 5 < ffff92e9f594b0c0 2452760112 C Ci:2:004:0 0 5 = 050f1600 02 ffff92e9f594b0c0 2452760157 S Ci:2:004:0 s 80 06 0f00 0000 0016 22 < ffff92e9f594b0c0 2452760484 C Ci:2:004:0 0 22 = 050f1600 02071002 02000000 0a100300 0e00010a ff07 ffff92e9f594b0c0 2452760523 S Ci:2:004:0 s 80 06 0200 0000 002c 44 < ffff92e9f594b0c0 2452761059 C Ci:2:004:0 0 44 = 09022c00 01010080 70090400 00020806 50000705 81020004 00063004 00000007 ffff92e9f594b0c0 2452761099 S Ci:2:004:0 s 80 06 0305 0409 00ff 255 < ffff92e9f594b0c0 2452761481 C Ci:2:004:0 0 26 = 1a033000 30003000 30003000 30003000 30003000 30003300 3900 ffff92e9f594b0c0 2452761961 S Co:2:004:0 s 00 09 0001 0000 0000 0 ffff92e9f594b0c0 2452762205 C Co:2:004:0 0 0 ffff92ea19fc43c0 2452762260 S Co:2:004:0 s 00 30 0000 0000 0006 6 = 0a0aff07 ff07 ffff92ea19fc43c0 2452762747 C Co:2:004:0 0 6 > ffff92ea19fc43c0 2452762914 S Co:2:004:0 s 00 03 0030 0000 0000 0 ffff92ea19fc43c0 2452763272 C Co:2:004:0 0 0 ffff92ea3f1a9a80 2452763315 S Co:2:004:0 s 00 30 0000 0000 0006 6 = 0a0aff07 ff07 ffff92ea3f1a9a80 2452763525 C Co:2:004:0 0 6 > ffff92ea3f1a9a80 2452763714 S Co:2:004:0 s 00 03 0031 0000 0000 0 ffff92ea3f1a9a80 2452763990 C Co:2:004:0 0 0 ffff92ea7028fb40 2454242694 S Bo:2:004:2 -115 31 = 55534243 2a010000 00000000 00000600 00000000 00000000 00000000 000000 ffff92ea7028fb40 2454242783 C Bo:2:004:2 0 31 > ``` Packet types: | Type | Description | | -------- | -------- | | Bi/Bo | Bulk in / Bulk out | | Ci/Co | Control in / Control out | | Ii/Io | Interrupt in / Interrupt out | | Zi/Zo | Isochronous in / Isochronous out | --- ## 2. Work with Wireshark ### 2.1 Download and install Wireshark is a cross-platform software make us to trace USB transaction with visualized interface. Download Wireshark from its website, choose one suitable to your OS version and your architecture https://www.wireshark.org/download.html You can also install it by apt-get, yum from debian's or red-hat repository: ``` sudo apt install wireshark sudo yum install wireshark ``` ### 2.2 Usage Run Wireshark with the super user permission ``` sudo wireshark ``` Select usbmon0 ![](https://i.imgur.com/45SDXvt.png) Set filter to hide or show specific ports, protocol or info ![](https://i.imgur.com/4CEAZbY.png)