Gadget Reverse Engineering: Capturing

Capturing USB packets in my Qemu based Windows virtual machine (VM) did not go as swimmingly as I had hoped. The device showed up in the Devices and Printers output but it was marked with a warning sign. On top of that, the vendor provided application software completely ignored it. I spent a little time trying to figure out what was wrong but gave up. I wanted to capture packets rather than fix VM issues, so, grudgingly, I went back to my VirtualBox based Windows VM. There both Windows and the vendor application worked fine with my USB sport's watch.

To capture packets you could install USBPcap in the Windows VM. But why bother if you can use Wireshark on the host machine [1]. Not only can you capture USB packets, you can also capture network traffic. This may matter in my case because the vendor application is really just a conduit between my watch and their database/servers.

Installing Wireshark

Wireshark is packaged for any self-respecting Linux distribution, so just go ahead and install it. Command-line afficionados may like its tshark utility, which may be packaged separately for your distro.

$ sudo apt-get install wireshark tshark

While both don't require any extra help to capture network packages, you need to load the usbmon kernel module in order to capture USB packets. You can add it to /etc/modules so the module gets loaded at boot-time or run the command below when you first need it.

$ sudo modprobe usbmon

While this will set you up to do all the capturing, the various Linux distributions all have their own approaches to who exactly is allowed to capture packets. To keep it simple, I'll just run wireshark with administrative privileges here [2].

Capturing Packets

So I've started wireshark with

$ sudo wireshark

and dismissed the warnings. Now I am ready to select the interfaces to capture on. As I don't want to get inundated with boat loads of packets that I am not interested so selecting any is not a good idea. I definitely want the USB interface I connect my watch on. You can find out which one that is with something like

$ lsusb -d 1493:
Bus 006 Device 002: ID 1493:0010 Suunto

Replace the 1493 vendor ID with your device's vendor ID. Append a product ID after the colon if you wish to narrow things down further. The Bus number in the output corresponds to the USB interface you want to capture on, so that would be usbmon6 in this case.


[1] Wireshark is available for Windows too but it does not support capturing USB traffic there.
[2] A number of distribution already take extra precautions that allow selected user to perform network packet captures. However, for USB packet captures you will still(?) need root privileges. The safest and suggested approach is capturing with the dumpcap command-line utility. Its captures can then be analyzed with wireshark by any user.