Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] USB filters and format ?

From: Smilen Dimitrov <sd@xxxxxxxxxx>
Date: Thu, 08 Apr 2010 00:18:49 +0200
Hi all,

I want to use wireshark (or tshark) to inspect USB traffic; and after some problems with libpcap, I think I am getting USB data correctly now.

Where I am confused is how to make input filters; I have seen:

Wireshark � Display Filter Reference: USB -
http://www.wireshark.org/docs/dfref/u/usb.html

And those work.. However, if I want to filter by frame number, I have to use frame.number, which is in a different "class":

Wireshark � Display Filter Reference: Frame -
http://www.wireshark.org/docs/dfref/f/frame.html

Now, in Wireshark GUI there are columns: "No.", "Time", "Source", "Destination", "Protocol" and "Info" ... For all others but "No." (which is, apparently, frame.number), I have no idea what the corresponding filters are for a USB packet!

For example, "Source" for network traffic would be ip.src; but for usb, neither usb.src.endpoint nor usb.dst.endpoint show anything. And I am in particular interested in filtering by source and destination...

If I click over one of those columns in Wireshark, and do, say, "Copy - As Filter", I get:
"Could not acquire information to build a filter!
Try expanding or choosing another item."

The only one that works, is in fact "No." (with frame.number) column - all others fail as above. It seems as if those fields are not even defined for USB - but then, how can Wireshark render information for those columns (and it does so fine?)

I can also do Statistics/Conversations in Wireshark, and it does seem to sort USB traffic by conversation - but if I again right-click on a conversation and choose "Prepare a filter - Selected - A->B", then I get a statement like:

"usb.sa==2.2 && usb.da==host"

which is strange, as usb.sa and usb.da do not exist in http://www.wireshark.org/docs/dfref/u/usb.html ??? And indeed, trying to apply that filter results with:

"Neither 'usb.sa' nor '2.2' are field or protocol names.
The following display filter isn't a valid display filter:
usb.sa==2.2 && usb.da==host
See the help for a description of the display filter syntax."

So, what sort of a filter sentence and fields could I use, to (say) limit packet display to those with Source=2.2 and Destination=host?


A secondary question has to do with the following: I'd like to use tshark to sort of "grep" through a capture file, as in:

tshark -R 'frame.number >= 1789 && frame.number <= 1812' -T fields -e frame.number -e usb.endpoint_number -e usb.request_in -e usb.response_in -e usb.urb_type -e usb.data -e usb.data_flag -e usb.data_len -E separator=, -E header=y -E quote=d -r /path/to/my-capture.pcap

This can result with output like:

"1794","0x81","1783",,"C\x03\x81\x02\x02","01:60:37:30:36:20:36:33:31:20",,"10"

As far as I can see usb.data is defined as Byte array in dfref/u/usb.html; is there a way to format it as a string (replacing '.' for unreadable characters) directly from tshark?

Thanks for any responses,
Cheers!