Wireshark-users: [Wireshark-users] USB filters and format ?
From: Smilen Dimitrov <sd@xxxxxxxxxx>
Date: Thu, 08 Apr 2010 00:18:49 +0200
Hi all,I want to use wireshark (or tshark) to inspect USB traffic; and after some problems with libpcap, I think I am getting USB data correctly now.
Where I am confused is how to make input filters; I have seen: Wireshark · Display Filter Reference: USB - http://www.wireshark.org/docs/dfref/u/usb.htmlAnd those work.. However, if I want to filter by frame number, I have to use frame.number, which is in a different "class":
Wireshark · Display Filter Reference: Frame - http://www.wireshark.org/docs/dfref/f/frame.htmlNow, in Wireshark GUI there are columns: "No.", "Time", "Source", "Destination", "Protocol" and "Info" ... For all others but "No." (which is, apparently, frame.number), I have no idea what the corresponding filters are for a USB packet!
For example, "Source" for network traffic would be ip.src; but for usb, neither usb.src.endpoint nor usb.dst.endpoint show anything. And I am in particular interested in filtering by source and destination...
If I click over one of those columns in Wireshark, and do, say, "Copy - As Filter", I get:
"Could not acquire information to build a filter! Try expanding or choosing another item."The only one that works, is in fact "No." (with frame.number) column - all others fail as above. It seems as if those fields are not even defined for USB - but then, how can Wireshark render information for those columns (and it does so fine?)
I can also do Statistics/Conversations in Wireshark, and it does seem to sort USB traffic by conversation - but if I again right-click on a conversation and choose "Prepare a filter - Selected - A->B", then I get a statement like:
"usb.sa==2.2 && usb.da==host"which is strange, as usb.sa and usb.da do not exist in http://www.wireshark.org/docs/dfref/u/usb.html ??? And indeed, trying to apply that filter results with:
"Neither 'usb.sa' nor '2.2' are field or protocol names. The following display filter isn't a valid display filter: usb.sa==2.2 && usb.da==host See the help for a description of the display filter syntax."So, what sort of a filter sentence and fields could I use, to (say) limit packet display to those with Source=2.2 and Destination=host?
A secondary question has to do with the following: I'd like to use tshark to sort of "grep" through a capture file, as in:
tshark -R 'frame.number >= 1789 && frame.number <= 1812' -T fields -e frame.number -e usb.endpoint_number -e usb.request_in -e usb.response_in -e usb.urb_type -e usb.data -e usb.data_flag -e usb.data_len -E separator=, -E header=y -E quote=d -r /path/to/my-capture.pcap
This can result with output like: "1794","0x81","1783",,"C\x03\x81\x02\x02","01:60:37:30:36:20:36:33:31:20",,"10"As far as I can see usb.data is defined as Byte array in dfref/u/usb.html; is there a way to format it as a string (replacing '.' for unreadable characters) directly from tshark?
Thanks for any responses, Cheers!
- Follow-Ups:
- Re: [Wireshark-users] USB filters and format ?
- From: Guy Harris
- Re: [Wireshark-users] USB filters and format ?
- Prev by Date: Re: [Wireshark-users] New MAC user, No Capture Interfaces
- Next by Date: [Wireshark-users] Wireshark having problems with shared library
- Previous by thread: Re: [Wireshark-users] RTP v/s UDP
- Next by thread: Re: [Wireshark-users] USB filters and format ?
- Index(es):