November 30, 2023

Let's learn USB! -- using Wireshark - part 2

We learned some wireshark basics already, but let's review. At this point, for me, this is easy so far. What is not so easy is a display filter. See below for that.

Display filters

Don't forget, there are also capture filters (with their own syntax). We are simply ignoring those for now.

Let's say you start a wireshark capture, boot up your USB gadget so you capture the enumeration traffic, then stop the capture. In my case I see vast amounts of traffic talking to the hub. Maybe a different port on my computer? I switch to a port on the front of my computer. Looking at /var/log/messages, I see this is usbmon2 rather than usbmon4. This does help a lot, but we still have interest in display filters.

It is important to understand that usb.dst is a string, as is usb.src. So you can do exact matches like:

usb.dst == "2.1.0"
And you can have expressions like:
usb.dst == "2.1.0" or usb.src == "2.1.0"
But, as near as I can tell usb.addr is source or destination, so you could just do this:
usb.addr == "2.1.0"
Given that usb.addr is a string, you are allowed to use "slices" as in:
usb.addr[0:2] == "2.1"
Or you can select a single character via:
usb.addr[2] == "1"
You can even use regular expressions:
usb.addr matches "^1\.[5-9][0-9]\."

Take a look at this for a list of all the usb.* stuff available.

For example, you have usb.idVendor and usb.idProduct.
There is also usb.device_address. I'm not sure if and how this differs from usb.addr.
Feedback? Questions? Drop me a line!

Tom's Computer Info / [email protected]