Everyone loves USB devices. Many devices use USB as communication port. It is popular and steadily improve the standard. So, did you ever feel curious of what, how, and why the devices works? Whether you are a hardware hacker, hobbyist, or anyone interest in peripheral and low level, USB is very challenging. With wireshark, we have power to sniff or capture data stream sent by our USB devices to our host. The host is PC with Windows or Linux installed.
In this article we will discussing how can we capture data with wireshark. While writing this article I use following material:
- Wireshark 2.0.1 (SVN)
- Linux kernel 4.1.6
You can use any wireshark above 1.2.0 to get it works. I didn’t add Windows section yet because I didn’t confirm it yet.
Before we start, I think it is good to know some basic knowledge in USB. USB has specification. There are three way to use USB:
- USB UART
- USB HID
- USB Memory
UART or Universal Asynchronous Receiver/Transmitter. This device use USB simply as receiving or transmitting way. They use USB nothing more than that, like other communication work.
HID is Human Interface Device. It is a class of USB which is for interface. Devices in this class are keyboards, mice, game controllers, and alphanumeric display devices.
Last is USB Memory, or we can say storage. External HDD, thumb drive / flash drive, they are part of this class.
As you might expect, the most common devices are either USB HID or USB Memory.
Now every USB device, especially HID or Memory, has magic number called Vendor Id and Product Id. They come in pair. The vendor Id is identifier to which vendor make this device. Product Id is identifying the product and not a serial number. See following picture.
That is a list of USB device connected to my box. To get this list we can invoke lsusb.
Let’s choose an entry. I have wireless mouse, Logitech. This is an HID device. This mouse comes with a receiver. It is detected and run as expected. Can you spot which is the device? Yes, the 4th entry. Here we have following:
Bus 003 Device 010: ID 046d:c52f Logitech, Inc. Unifying Receiver
The part ID 046d:c52f is Vendor-Product Id pair. The vendor id is 046d and the product id is c52f.
See Bus 003 Device 010. This inform us the Bus in which our device is connected. Note this.
We can run Wireshark as root to sniff USB stream. But as always, it is not recommended. We need to give enough privilege for our user to dump the stream from Linux usbmon. We can use udev for this purpose. What we will do is creating a group usbmon, make our account as usbmon member, create udev rules.
addgroup usbmon gpasswd -a $USER usbmon echo 'SUBSYSTEM=="usbmon", GROUP="usbmon", MODE="640"' > /etc/udev/rules.d/99-usbmon.rules
Next we need usbmon kernel module. If it is not loaded yet, invoke following command as root
Open wireshark. See the interface list. You should see usbmonX where X is number. Here is mine (yeah, I use root):
If there is activity or stream in interface wireshark will show it as a wave graph. So which one should we choose? Did I ask you to note? Yes, the X or the number is corresponding to the USB Bus. In my case the target is usbmon3. Just open it and see the packet flow. Click on usbmon interface and click the blue shark fin icon.
What can we do after capturing? Well it depends. In general we can understand how devices and host communicate and maybe by this knowledge we can use our skill to reverse engineering it. Well, another article.device, linux, reverse engineering, traffic, usb