Wireshark mailing list archives
USB filters and format ?
From: Smilen Dimitrov <sd () imi aau dk>
Date: Thu, 08 Apr 2010 00:18:49 +0200
Hi all, I want to use wireshark (or tshark) to inspect USB traffic; and after some problems with libpcap, I think I am getting USB data correctly now. Where I am confused is how to make input filters; I have seen: Wireshark · Display Filter Reference: USB - http://www.wireshark.org/docs/dfref/u/usb.html And those work.. However, if I want to filter by frame number, I have to use frame.number, which is in a different "class": Wireshark · Display Filter Reference: Frame - http://www.wireshark.org/docs/dfref/f/frame.html Now, in Wireshark GUI there are columns: "No.", "Time", "Source", "Destination", "Protocol" and "Info" ... For all others but "No." (which is, apparently, frame.number), I have no idea what the corresponding filters are for a USB packet! For example, "Source" for network traffic would be ip.src; but for usb, neither usb.src.endpoint nor usb.dst.endpoint show anything. And I am in particular interested in filtering by source and destination... If I click over one of those columns in Wireshark, and do, say, "Copy - As Filter", I get: "Could not acquire information to build a filter! Try expanding or choosing another item." The only one that works, is in fact "No." (with frame.number) column - all others fail as above. It seems as if those fields are not even defined for USB - but then, how can Wireshark render information for those columns (and it does so fine?) I can also do Statistics/Conversations in Wireshark, and it does seem to sort USB traffic by conversation - but if I again right-click on a conversation and choose "Prepare a filter - Selected - A->B", then I get a statement like: "usb.sa==2.2 && usb.da==host" which is strange, as usb.sa and usb.da do not exist in http://www.wireshark.org/docs/dfref/u/usb.html ??? And indeed, trying to apply that filter results with: "Neither 'usb.sa' nor '2.2' are field or protocol names. The following display filter isn't a valid display filter: usb.sa==2.2 && usb.da==host See the help for a description of the display filter syntax." So, what sort of a filter sentence and fields could I use, to (say) limit packet display to those with Source=2.2 and Destination=host? A secondary question has to do with the following: I'd like to use tshark to sort of "grep" through a capture file, as in: tshark -R 'frame.number >= 1789 && frame.number <= 1812' -T fields -e frame.number -e usb.endpoint_number -e usb.request_in -e usb.response_in -e usb.urb_type -e usb.data -e usb.data_flag -e usb.data_len -E separator=, -E header=y -E quote=d -r /path/to/my-capture.pcap This can result with output like: "1794","0x81","1783",,"C\x03\x81\x02\x02","01:60:37:30:36:20:36:33:31:20",,"10" As far as I can see usb.data is defined as Byte array in dfref/u/usb.html; is there a way to format it as a string (replacing '.' for unreadable characters) directly from tshark? Thanks for any responses, Cheers! ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- USB filters and format ? Smilen Dimitrov (Apr 07)
- Re: USB filters and format ? Guy Harris (Apr 07)
- Re: USB filters and format ? Smilen Dimitrov (Apr 07)
- Re: USB filters and format ? Guy Harris (Apr 07)