# Trace USB By Wireshark ## 1. Preparing ### 1.1 Download and install Wireshark Download Wireshark from its website, choose one suitable to your OS version and your architecture https://www.wireshark.org/download.html You can also install it by apt-get, yum from debian's or red-hat repository: ``` sudo apt install wireshark sudo yum install wireshark ``` ### 1.2 Install usbmon module Mount debugfs ``` sudo mount -t debugfs none /sys/kernel/debug ``` Hook the usbmon module ``` sudo modprobe usbmon ``` ## 2. Work with Wireshark ### 2.1 Get the USB hierarchy  Suppose our device is bus1, dev 23, and its port is bus 1 port1, these are the ports we want to observe, ### 2.2 Open Wireshark Run Wireshark with the super user permission ``` sudo wireshark ``` ### 2.3 Select usbmon0  ### 2.4 Set filter Then we can set the filter such as usb.src and usb.dst to filt out what we don't need. The fillter will be like following: ``` (usb.src == "1.23.1") && (usb.dst == "1.23.1") && (usb.src == "1.23.2") && (usb.dst == "1.23.2") && (usb.src == "1.1.0") && (usb.dst == "1.1.0") ```  (The source and destination number are form in *bus.port.endpoint*. For example, 1.23.1 and 1.23.2 are different endpoints on the same device) Then we can get the transaction informations between host and the devices.