Wireshark-users: Re: [Wireshark-users] capturing USB data
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 30 Aug 2010 11:21:46 -0700
On Aug 30, 2010, at 10:42 AM, Thomas Epperson wrote:

> Ok I changed libpcap to point to /dev/null.

Actually, just undoing your previous change would be sufficient; "change it to /dev/null" was meant to indicate that no change was necessary - as per my mail, /proc/bus/usb isn't necessary with newer libpcaps such as 1.1.x.

> I can get wireshark to list usbmon interfaces and capture data, but ONLY if I run it as root. Is there a way to eliminate the depency of running as root?

What does "ls -l /dev/usbmon*" print?

> I did these steps to allow sniffing "regular (not usb)" traffic as non-root
> 
> Setting network privileges for dumpcap
> http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

Presumably those were the "Linux" steps.  Those steps are, as per "regular (not usb)", specific to capturing on regular networking devices; capturing USB traffic needs a different mechanism, requiring that the program be able to open the /dev/usbmon* devices.  Did you do the "Setting network privileges for dumpcap" steps or the "Limiting capture permission to only one group" steps?  If the former, you'll probably need to make the /dev/usbmon* devices publicly readable; if the latter, you'll only need to make them readable by the group in question.  (At least on my Ubuntu 9 VM, /sys/bus/usb/devices is publicly readable; if that's the case on your machine, no changes should be necessary to get Wireshark to list usbmon interfaces, although you'd need to make the usbmon devices accessible to dumpcap in order to get Wireshark to capture on them.)