Wireshark-users: Re: [Wireshark-users] USB filters and format ?
From: Smilen Dimitrov <sd@xxxxxxxxxx>
Date: Thu, 08 Apr 2010 02:06:18 +0200

Hi Guy,

Just wanted to say - thanks a million for a very thorough and prompt answer ! It cleared out a lot of misunderstandings that I had.


>
> If so, that's a bug.
>

Well, maybe its just problems with my versions:

$ wireshark --version
wireshark 1.0.7
...
Running on Linux 2.6.28-18-generic, with libpcap version 1.1.1.
Built using gcc 4.3.3.


//

For "completeness" re: USB filters, I'd just like to add this quote:

Bug 3324 – Patch packet.usb.c: fixed is_request and reverse direction of URB_INTERRUPT
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3324

"for example if we would like filter packet for:

- show only submit/complete (request/response) that may have originated data inbound, we could add this filter in wireshark: usb.endpoint_number >= 0x80

- show only submit/complete (request/response) that may have originated data outbound, we could add this filter in wireshark: usb.endpoint_number < 0x80"

(Just as a note, in my case, > 0x80 would limit to conv. between "host" and "2.1"; and < 0x80 would limit to conversation between "host" and "2.2" - while trying to capture ftdi_sio traffic)


Thanks again,
Cheers!





On 04/08/2010 12:50 AM, Guy Harris wrote:

On Apr 7, 2010, at 3:18 PM, Smilen Dimitrov wrote:

Hi all,

I want to use wireshark (or tshark) to inspect USB traffic; and
after some problems with libpcap, I think I am getting USB data
correctly now.

Where I am confused is how to make input filters; I have seen:

Wireshark · Display Filter Reference: USB -
http://www.wireshark.org/docs/dfref/u/usb.html

And those work.. However, if I want to filter by frame number, I
have to use frame.number, which is in a different "class":

Yes, just as, for example, if you want to filter by IPv4 address,
you'd use ip.src, ip.dst, or ip.addr, whereas if you want to filter
by TCP port number, you'd use tcp.srcport, tcp.dstport, or tcp.port,
which are in a different "class" from the ip.* field names.

Now, in Wireshark GUI there are columns: "No.", "Time", "Source",
"Destination", "Protocol" and "Info" ... For all others but "No."
(which is, apparently, frame.number),

Yes, it is the frame number - for *all* protocols.

I have no idea what the corresponding filters are for a USB
packet!

"time" is the time stamp, which is "frame.time" or, if you want the
time as "seconds since January 1, 1970, 00:00:00 UTC",
"frame.epoch_time", at least in newer versions of Wireshark.  That's
the case for *all* protocols.

For example, "Source" for network traffic would be ip.src; but for
usb, neither usb.src.endpoint nor usb.dst.endpoint show anything.
And I am in particular interested in filtering by source and
destination...

Unfortunately, there are no fields corresponding directly to source
and destination.  There are fields "usb.endpoint_number",
"usb.device_address", and "usb.bus_id".

For packets with an event type ("usb.urb_type") of "URB_SUBMIT
('S')", there is no source address, and the destination address is
made from the device address and endpoint number; for all other
packets, there is no destination address, and the source address is
made from the device address and endpoint number.  There are also
source and destination *port* columns that you can display; for
URB_SUBMIT packets, there is no source port and the destination port
is the endpoint number, and, for all other packets, there is no
destination port and the source port is the endpoint number.  (No, I
don't know why the address includes the endpoint, if the endpoint is
also treated as a port.)

If I click over one of those columns in Wireshark, and do, say,
"Copy - As Filter", I get: "Could not acquire information to build
a filter! Try expanding or choosing another item."

The only one that works, is in fact "No." (with frame.number)
column - all others fail as above. It seems as if those fields are
not even defined for USB - but then, how can Wireshark render
information for those columns (and it does so fine?)

For the "Source" and "Destination" columns, see above.

For the "Time" column, see above - and note that if it doesn't work
for USB, it won't work for *anything*; that field, and the way it's
processed, is not USB-specific.

For the "Protocol" and "Info" columns, there are no corresponding
fields for *any* protocol.

I can also do Statistics/Conversations in Wireshark, and it does
seem to sort USB traffic by conversation - but if I again
right-click on a conversation and choose "Prepare a filter -
Selected - A->B", then I get a statement like:

"usb.sa==2.2&&  usb.da==host"

which is strange, as usb.sa and usb.da do not exist in
http://www.wireshark.org/docs/dfref/u/usb.html ??? And indeed,
trying to apply that filter results with:

"Neither 'usb.sa' nor '2.2' are field or protocol names. The
following display filter isn't a valid display filter:
usb.sa==2.2&&  usb.da==host See the help for a description of the
display filter syntax."

If so, that's a bug.

So, what sort of a filter sentence and fields could I use, to
(say) limit packet display to those with Source=2.2 and
Destination=host?

usb.device_address == 2 and usb.endpoint_number == 2