Wireshark-users: Re: [Wireshark-users] USB filters and format ?
From: Smilen Dimitrov <sd@xxxxxxxxxx>
Date: Thu, 08 Apr 2010 02:06:18 +0200
Hi Guy,Just wanted to say - thanks a million for a very thorough and prompt answer ! It cleared out a lot of misunderstandings that I had.
> > If so, that's a bug. > Well, maybe its just problems with my versions: $ wireshark --version wireshark 1.0.7 ... Running on Linux 2.6.28-18-generic, with libpcap version 1.1.1. Built using gcc 4.3.3. // For "completeness" re: USB filters, I'd just like to add this quote:Bug 3324 – Patch packet.usb.c: fixed is_request and reverse direction of URB_INTERRUPT
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3324 "for example if we would like filter packet for:- show only submit/complete (request/response) that may have originated data inbound, we could add this filter in wireshark: usb.endpoint_number >= 0x80
- show only submit/complete (request/response) that may have originated data outbound, we could add this filter in wireshark: usb.endpoint_number < 0x80"
(Just as a note, in my case, > 0x80 would limit to conv. between "host" and "2.1"; and < 0x80 would limit to conversation between "host" and "2.2" - while trying to capture ftdi_sio traffic)
Thanks again, Cheers! On 04/08/2010 12:50 AM, Guy Harris wrote:
On Apr 7, 2010, at 3:18 PM, Smilen Dimitrov wrote:Hi all, I want to use wireshark (or tshark) to inspect USB traffic; and after some problems with libpcap, I think I am getting USB data correctly now. Where I am confused is how to make input filters; I have seen: Wireshark · Display Filter Reference: USB - http://www.wireshark.org/docs/dfref/u/usb.html And those work.. However, if I want to filter by frame number, I have to use frame.number, which is in a different "class":Yes, just as, for example, if you want to filter by IPv4 address, you'd use ip.src, ip.dst, or ip.addr, whereas if you want to filter by TCP port number, you'd use tcp.srcport, tcp.dstport, or tcp.port, which are in a different "class" from the ip.* field names.Now, in Wireshark GUI there are columns: "No.", "Time", "Source", "Destination", "Protocol" and "Info" ... For all others but "No." (which is, apparently, frame.number),Yes, it is the frame number - for *all* protocols.I have no idea what the corresponding filters are for a USB packet!"time" is the time stamp, which is "frame.time" or, if you want the time as "seconds since January 1, 1970, 00:00:00 UTC", "frame.epoch_time", at least in newer versions of Wireshark. That's the case for *all* protocols.For example, "Source" for network traffic would be ip.src; but for usb, neither usb.src.endpoint nor usb.dst.endpoint show anything. And I am in particular interested in filtering by source and destination...Unfortunately, there are no fields corresponding directly to source and destination. There are fields "usb.endpoint_number", "usb.device_address", and "usb.bus_id". For packets with an event type ("usb.urb_type") of "URB_SUBMIT ('S')", there is no source address, and the destination address is made from the device address and endpoint number; for all other packets, there is no destination address, and the source address is made from the device address and endpoint number. There are also source and destination *port* columns that you can display; for URB_SUBMIT packets, there is no source port and the destination port is the endpoint number, and, for all other packets, there is no destination port and the source port is the endpoint number. (No, I don't know why the address includes the endpoint, if the endpoint is also treated as a port.)If I click over one of those columns in Wireshark, and do, say, "Copy - As Filter", I get: "Could not acquire information to build a filter! Try expanding or choosing another item." The only one that works, is in fact "No." (with frame.number) column - all others fail as above. It seems as if those fields are not even defined for USB - but then, how can Wireshark render information for those columns (and it does so fine?)For the "Source" and "Destination" columns, see above. For the "Time" column, see above - and note that if it doesn't work for USB, it won't work for *anything*; that field, and the way it's processed, is not USB-specific. For the "Protocol" and "Info" columns, there are no corresponding fields for *any* protocol.I can also do Statistics/Conversations in Wireshark, and it does seem to sort USB traffic by conversation - but if I again right-click on a conversation and choose "Prepare a filter - Selected - A->B", then I get a statement like: "usb.sa==2.2&& usb.da==host" which is strange, as usb.sa and usb.da do not exist in http://www.wireshark.org/docs/dfref/u/usb.html ??? And indeed, trying to apply that filter results with: "Neither 'usb.sa' nor '2.2' are field or protocol names. The following display filter isn't a valid display filter: usb.sa==2.2&& usb.da==host See the help for a description of the display filter syntax."If so, that's a bug.So, what sort of a filter sentence and fields could I use, to (say) limit packet display to those with Source=2.2 and Destination=host?usb.device_address == 2 and usb.endpoint_number == 2
- References:
- [Wireshark-users] USB filters and format ?
- From: Smilen Dimitrov
- Re: [Wireshark-users] USB filters and format ?
- From: Guy Harris
- [Wireshark-users] USB filters and format ?
- Prev by Date: Re: [Wireshark-users] RTP v/s UDP
- Next by Date: Re: [Wireshark-users] RTP v/s UDP
- Previous by thread: Re: [Wireshark-users] USB filters and format ?
- Next by thread: [Wireshark-users] Wireshark having problems with shared library
- Index(es):