Wireshark mailing list archives

USB filters and format ?


From: Smilen Dimitrov <sd () imi aau dk>
Date: Thu, 08 Apr 2010 00:18:49 +0200

Hi all,

I want to use wireshark (or tshark) to inspect USB traffic; and after 
some problems with libpcap, I think I am getting USB data correctly now.

Where I am confused is how to make input filters; I have seen:

Wireshark · Display Filter Reference: USB -
http://www.wireshark.org/docs/dfref/u/usb.html

And those work.. However, if I want to filter by frame number, I have to 
use frame.number, which is in a different "class":

Wireshark · Display Filter Reference: Frame -
http://www.wireshark.org/docs/dfref/f/frame.html

Now, in Wireshark GUI there are columns: "No.", "Time", "Source", 
"Destination", "Protocol" and "Info" ... For all others but "No." (which 
is, apparently, frame.number), I have no idea what the corresponding 
filters are for a USB packet!

For example, "Source" for network traffic would be ip.src; but for usb, 
neither usb.src.endpoint nor usb.dst.endpoint show anything. And I am in 
particular interested in filtering by source and destination...

If I click over one of those columns in Wireshark, and do, say, "Copy - 
As Filter", I get:
"Could not acquire information to build a filter!
Try expanding or choosing another item."

The only one that works, is in fact "No." (with frame.number) column - 
all others fail as above. It seems as if those fields are not even 
defined for USB - but then, how can Wireshark render information for 
those columns (and it does so fine?)

I can also do Statistics/Conversations in Wireshark, and it does seem to 
sort USB traffic by conversation - but if I again right-click on a 
conversation and choose "Prepare a filter - Selected - A->B", then I get 
a statement like:

"usb.sa==2.2 && usb.da==host"

which is strange, as usb.sa and usb.da do not exist in 
http://www.wireshark.org/docs/dfref/u/usb.html ??? And indeed, trying to 
apply that filter results with:

"Neither 'usb.sa' nor '2.2' are field or protocol names.
The following display filter isn't a valid display filter:
usb.sa==2.2 && usb.da==host
See the help for a description of the display filter syntax."

So, what sort of a filter sentence and fields could I use, to (say) 
limit packet display to those with Source=2.2 and Destination=host?


A secondary question has to do with the following: I'd like to use 
tshark to sort of "grep" through a capture file, as in:

tshark -R 'frame.number >= 1789 && frame.number <= 1812' -T fields -e 
frame.number -e usb.endpoint_number -e usb.request_in -e usb.response_in 
-e usb.urb_type -e usb.data -e usb.data_flag -e usb.data_len -E 
separator=, -E header=y -E quote=d -r /path/to/my-capture.pcap

This can result with output like:

"1794","0x81","1783",,"C\x03\x81\x02\x02","01:60:37:30:36:20:36:33:31:20",,"10"

As far as I can see usb.data is defined as Byte array in 
dfref/u/usb.html; is there a way to format it as a string (replacing '.' 
for unreadable characters) directly from tshark?

Thanks for any responses,
Cheers!






___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe


Current thread: