Using Wireshark to capture EtherNet over USB

English Network/Internet
#1

Hello all, thank you for this forum.

To save time, does anyone know of a Wireshark forum? I found their wiki, but Google does not reveal a robust forum such as this where you can ask questions.

That having been said, would you please help me sort this out:

How to get Wireshark to see usbmon0? ls -l /dev/usbmon* shows
crw-r–r-- 1 root root 248, 0 Jan 10 14:50 /dev/usbmon0
crw-r–r-- 1 root root 248, 1 Jan 10 14:50 /dev/usbmon1
crw-r–r-- 1 root root 248, 2 Jan 10 14:50 /dev/usbmon2
but Wireshark only sees the latter two.

=======================================================

  1. We have a piece of boat gear (RayMarine C120W) that bridges NMEA 0183 (ASCII) and EtherNet (“SeaTalk-HS”) data for transmission to Windows software (RayTech Navigation System—RNS). The bridged data are wired to a DB-9F chassis connector near the laptop. We did have a Serial to Ethernet cable that connected to an older laptop running the software that had an Ethernet Socket. It worked fine.

  2. We have not touched the boat wiring, but have lost the cable and necessarily moved the software to a new laptop (openSUSE Leap 42.1 Linux) that does not have an Ethernet socket, only USB.

  3. We have a Gigaware 2603487 USB-A to Serial Cable. It is recognized by the laptop and connected to ttyUSB0. We can read that port at the command line interface—CLI—with cat /dev/ttyUSB0 and see the NMEA 0183 ASCII sentences but not the Ethernet stream.

    3.1 I understand that the EtherNet traffic is higher frequency and multiplexed, yada yada, so will address that aspect (“EtherNet over USB”) in due course, but first we need Wireshark to see the basic USB data that we can see on the CLI (presumably on usbmon0) to ensure that Wireshark is reading the USB connection.

  4. We have laboriously followed https://wiki.wireshark.org/CaptureSetup/USB and many of its adherents, particularly
    http://stackoverflow.com/questions/31054437/how-to-install-wireshak-on-linux-and-capture-usb-traffic — yes, they misspelled Wireshark
    As a result we have:

    4.1 Sorted out usbmon. It needs to be restarted after each reboot (modprobe usbmon), a PITA we’ll address later.

    4.2 Added the requisite capabilities to dumpcap

    4.3 Changed permissions as directed (644) on /dev/usbmon*, added the wireshark group and added the user to the group.

    4.4 Configured Wireshark for non-root use, but that shows the same results as running it as root (yes, I know, a no-no).

  5. https://wiki.wireshark.org/CaptureSetup/USB says the special “usbmon0” interface receives events from all USB buses.

    5.1 After a new modprobe usbmon after a reboot ls -l /dev/usbmon* returns
    crw-r–r-- 1 root root 248, 0 Jan 10 14:50 /dev/usbmon0
    crw-r–r-- 1 root root 248, 1 Jan 10 14:50 /dev/usbmon1
    crw-r–r-- 1 root root 248, 2 Jan 10 14:50 /dev/usbmon2

so others (user, wireshark group) should be able to read.

5.2 So indeed usbmon0 exists but it does not appear in Wireshark. Wireshark only shows usbmon1 and usbmon2.
Neither has any interesting traffic, certainly not the ASCII stream that we can see on the CLI.

  1. We have attempted using a USB connected EtherNet to USB adapter with a Serial to Ethernet cable. It is recognized by the OS and
    Wireshark sees it as eth0 but there is zero traffic on it.

We can proceed further with EtherNet over USB once we have determined that Wireshark can read usbmon0 (ttyUSB0).

How to get Wireshark to see usbmon0?

Thanks in advance. Thank you again for this excellent forum. Happy New Year.

Kind regards, Andy

#2

Yes…
https://ask.wireshark.org/questions/

4.1 Sorted out usbmon. It needs to be restarted after each reboot (modprobe usbmon), a PITA we’ll address later.

Load it at boot via custom file in /etc/modprobe.d/ directory eg 30-usbmon.conf

This might be helpful…

Modern kernels (with the usbmon module loaded) also create a /dev/usbmonX device which is first probed for by Wireshark (actually, libpcap). When you run Wireshark as non-root user, it will not be able to capture from those devices. In that case, make sure that your user is allowed to read from it (write access is unnecessary):

sudo setfacl -m u:$USER:r /dev/usbmon1

Alternatively, if you do not have setfacl installed:

sudo chgrp $USER /dev/ubsmon1 && sudo chmog g+t /dev/usbmon1

https://ask.wireshark.org/questions/44716/usbmon0-missing-in-interface-list

#3

4.3 Changed permissions as directed (644) on /dev/usbmon*, added the wireshark group and added the user to the group.

A custom udev rule could also be used to assign r/w access to the appropriate group.

#4

If you find yourself unable to resolve your Wireshark sniffing USB problem,

An alternative is to use USBMon and tcpdump to capture your traffic (That should be pretty easy) to file,
Then open the file in Wireshark for analysis.

Google “tcpdump usb” and you’ll get plenty of hits on setting up and capturing.

BTW - Have you tried just pointing Wireshark to each one of the USB ports it recognizes and see if there’s any traffic?
Might be that there’s just some labeling issue, but functionality is there.

TSU

#5

Am Tue, 10 Jan 2017 23:36:01 GMT
schrieb deano ferrari <deano_ferrari@no-mx.forums.microfocus.com>:

> A custom udev rule could also be used to assign r/w access to the
> appropriate group.

Yup, for example:

/etc/udev/rules.d/50-my_usbmon.rules

ACTION==“add”, SUBSYSTEM==“usbmon”, KERNEL==“usbmon?*”, OWNER=“root”, GROUP=“trusted”, MODE=“640”

(only for users in the "trusted " group, adjust group name to your needs)

or

/etc/udev/rules.d/50-my_usbmon.rules

ACTION==“add”, SUBSYSTEM==“usbmon”, KERNEL==“usbmon?*”, MODE=“644”

(for all users, not a good idea and just for the record)

wireshark -k -i usbmon0

= Works for me™

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

#6

Deano,
Hello, thank you for your reply. Your answers are high entropy, so took me a while to digest… :slight_smile:

Thank you for the ask.wireshark.org/questions link. Very helpful. Have posted there, no answer yet. Have also posted it to my blog
http://genietvanhetleven.blogspot.com/2017/01/wireshark-question.html
in the hopes that Google may propagate my question further.

> Load it at boot via custom file in /etc/modprobe.d/ directory eg 30-usbmon.conf
Thanks also for the

/etc/modprobe.d

tip. High entropy, more I need to study…

https://ask.wireshark.org/questions/44716/usbmon0-missing-in-interface-list
Thanks for the

 ...interface-list

reference.

We tried these again, same result:
Wireshark sees usbmon1 and usbmon2 but not usbmon0.

    So there is something about usbmon0 that continues to evade me.

I’m sure we shall solve it in due course. Thank you again.

Kind regards, Andy

=========================================================
sudo setfacl -m u:$USER:r /dev/usbmon*
results in

[INDENT=2] andy@spectre:~> ls -l /dev/usbmon*
crw-r–r–+ 1 root root 248, 0 Jan 12 17:39 /dev/usbmon0
crw-r–r–+ 1 root root 248, 1 Jan 12 17:39 /dev/usbmon1
crw-r–r–+ 1 root root 248, 2 Jan 12 17:39 /dev/usbmon2
[/INDENT]
But no joy. Wireshark still can see usbmon1 and usbmon2 but not usbmon0:

, I’ve spent some time reading about sticky bits (+). They can be removed with
[INDENT=2]setfacl -b /dev/usbmon*
[/INDENT]