Gadget Reverse Engineering: Capturing
Capturing USB packets in my Qemu based Windows virtual machine (VM)
did not go as swimmingly as I had hoped. The device showed up in the
Devices and Printers output but it was marked with a warning sign.
On top of that, the vendor provided application software completely
ignored it. I spent a little time trying to figure out what was wrong
but gave up. I wanted to capture packets rather than fix VM issues,
so, grudgingly, I went back to my VirtualBox based Windows VM.
There both Windows and the vendor application worked fine with my USB
To capture packets you could install USBPcap in the Windows VM. But why bother if you can use Wireshark on the host machine 1. Not only can you capture USB packets, you can also capture network traffic. This may matter in my case because the vendor application is really just a conduit between my watch and their database/servers.
Wireshark is packaged for any self-respecting Linux distribution, so
just go ahead and install it. Command-line afficionados may like its
tshark utility, which may be packaged separately for your distro.
While both don't require any extra help to capture network packages,
you need to load the
usbmon kernel module in order to capture USB
packets. You can add it to
/etc/modules so the module gets loaded
at boot-time or run the command below when you first need it.
While this will set you up to do all the capturing, the various Linux
distributions all have their own approaches to who exactly is allowed
to capture packets. To keep it simple, I'll just run
with administrative privileges here 2.
So I've started
and dismissed the warnings. Now I am ready to select the interfaces
to capture on. As I don't want to get inundated with boat loads of
packets that I am not interested so selecting
any is not a good
idea. I definitely want the USB interface I connect my watch on. You
can find out which one that is with something like
1493 vendor ID with your device's vendor ID. Append a
product ID after the colon if you wish to narrow things down further.
Bus number in the output corresponds to the USB interface you
want to capture on, so that would be
usbmon6 in this case.
Wireshark is available for Windows too but it does not support capturing USB traffic there.
A number of distribution already take extra precautions that allow selected user to perform network packet captures. However, for USB packet captures you will still(?) need
rootprivileges. The safest and suggested approach is capturing with the
dumpcapcommand-line utility. Its captures can then be analyzed with
wiresharkby any user.