Wireshark-users: Re: [Wireshark-users] "capture raw USB traffic" functionality not working?
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 25 Sep 2007 16:06:17 -0700

On Sep 25, 2007, at 3:43 PM, Joshua Pollack wrote:

(Apologies if this is received twice, I don't think I was on the list
  before sending the first time.)

Hi,

I'm interested in using Wireshark to capture raw USB traffic, but I
can't seem to get this feature to work.  Has anyone on this list ever
managed to do this before?

The page on the wiki
http://wiki.wireshark.org/CaptureSetup/USB

says that to use this, you must load the usbmon kernel module, which
lets you get access to the data via debugfs, and also mount debugfs at
/sys/kernel/debug.

It *also* says

The latest libpcap CVS (post 0.9.5) is required for capturing raw USB traffic.

I've updated it to make it a bit clearer:

The latest libpcap CVS (not an 0.9.x release or earlier release) is required for capturing raw USB traffic.

No libpcap releases so far have included the USB capture code, so no Linux distribution is likely to be offering it as its standard libpcap.

(A release containing the USB capture support will probably come out in the not-too-distant future; I can't say when that'll be, though. I also can't say when any Linux distributions will pick that release up.)