linux下的usb抓包方法【转】
转自:http://blog.chinaunix.net/uid-11848011-id-4508834.html
1、配置内核使能usb monitor:
make menuconfig
Device Drivers -->
USB Support -->
USB Monitor --> Select * not M
2、build kernel
sudo insmod /lib/modules/3.2.1/kernel/drivers/usb/mon/usbmon.ko
3、启动内核后执行
#mount -t debugfs none_debugs /sys/kernel/debug
检查是否存在目录 /sys/kernel/debug/usb/usbmon
#ls /sys/kernel/debug/usb/usbmon
0s 0u 1s 1t 1u 2s 2t 2u 3s 3t 3u
# cat /sys/kernel/debug/usb/devices 确定你要监视的usb设备所在总线号和设备号
# 选择包含有 : Vendor=148f ProdID=5370 Rev= 1.01 的段落
# as follows:
# T: Bus=01Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
# D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
# P: Vendor=148f ProdID=5370 Rev= 1.01
# S: Manufacturer=Ralink
# S: Product=802.11 n WLAN
# S: SerialNumber=1.0
# C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=450mA
# I:* If#= 0 Alt= 0 #EPs= 5 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtusbSTA
# E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# 可以从第一行看到 Bus= 01,设备号是2
if (Bus == 01)
sudo cat /sys/kernel/debug/usb/usbmon/1u > ./rt5370-UsbMon.txt
else if (Bus == 02)
sudo cat /sys/kernel/debug/usb/usbmon/2u > ./rt5370-UsbMon.txt
2 抓的usb包的格式解析
The usbmon reports requests made by peripheral-specific drivers to Host
Controller Drivers (HCD). So, if HCD is buggy, the traces reported by
usbmon may not correspond to bus transactions precisely. This is the same
situation as with tcpdump.
上面的基本说明了usbmon主要的工作原理,他会把usb host drivers发送到hcd的所有请求(usb_submit_urb)和请求的回调内容(即改请求对应的回调函数:urb->complete)都报告出来。
Any text format data consists of a stream of events, such asURB submission(S),
URB callback(C), submission error(E). Every event is a text line, which consists
of whitespace separated words. The number or position of words may depend
on the event type, but there is a set of words, common for all types.
edda2b80 3474786256 C Ii:1:006:1 0:1 16 = 2fff0180 d6ef206e 1401020c 015aab73
e11c9280 3500399358 S Co:1:006:0 s 20 00 0000 0000 0007 7 = 370c0447 00401f
e11c9280 3500399866 C Co:1:006:0 0 7 >
Here is the list of words, from left to right:
- URB Tag. This is used to identify URBs, and is normally an in-kernel address
of the URB structure in hexadecimal, but can be a sequence number or any
other unique string, within reason.
urb = usb_alloc_urb(0, mem_flags);
由于一个urb对应一个端口,所以同一个端口他们的urb tag都是一样的。
002e2002999116296 C Ci:1:008:0 0 4 = 8d2b0000
Timestampin microseconds, a decimal number. The timestamp's resolution
depends on available clock, and so it can be much worse than a microsecond
(if the implementation uses jiffies, for example).
e002e200 2999116296Ci:1:008:0 0 4 = 8d2b0000
注意单位是微秒。
- Event Type. This type refers to the format of the event, not URB type.
Available types are:S - submission, C - callback, E - submission error.
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000
表示的意思是:usb host drivers通过usb_submit_urb函数向linuxusb core提交了一个urb传输请求,我们知道所有的usb传输,都是host端主动发起的,所以必须要有host drivers主动发出submit urb的动作
- "Address" word (formerly a "pipe"). It consists of four fields, separated by
colons: URB type and direction, Bus number, Device address, Endpoint number.
Type and direction are encoded with two bytes in the following manner:
Ci Co Control input and output
Zi Zo Isochronous input and output
Ii Io Interrupt input and output
Bi Bo Bulk input and output
Bus number, Device address, and Endpoint are decimal numbers, but they may
have leading zeros, for the sake of human readers.
所以地址字段的格式是如下:
URB type and direction:Bus number:Device address:Endpoint number
如下列子:
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000
意思是:控制传输输入,总线号为1,设备地址为008,由于所有的控制传输都是在endpoint 0上的,所以最后的端口自然也是0了。
这里需要注意,由于我们的这个抓包命令,只能指定是抓哪个总线上,但同一个总线通常会有很多usb设备的,如果我们只是关注特定的某个usb设备的话,我自己就需要留意设备地址字段,通过这个字段,我们就可以区分这个传输是不是我们要监听的设备发送出来的。
例如下面一段usb sniffer log:
edda2b80 3500379613 C Ii:1:006:1 0:1 8 = 0e06010d 08004700
edda2b80 3500394156 S Ii:1:006:1-115:1 16 <
eea76f80 3500394226 C Ii:1:003:3 0:128 16 = a12a0000 01000800 00e1f505 00e1f505
eea76f80 3500394236 S Ii:1:003:3 -115:128 16 <
同样都是usb总线1下面的,由于一个usb总线就对应一个usb host controller,但一个设备地址是006,另一个则是003,前者对应的是usb bluetooth dongle的中断传输,而后者则是usb鼠标的中断传输,他们接在同一个总线的usb hub下面。我们真正需要监听只是usb bluetooth dongle,所以就可以不受usb鼠标的干扰。
- URB Status word. This is either a letter, or several numbers separated
by colons: URB status, interval, start frame, and error count. Unlike the
"address" word, all fields save the status are optional. Interval is printed
only for interrupt and isochronous URBs. Start frame is printed only for
isochronous URBs. Error count is printed only for isochronous callback
events.
这里的意思就是,urb的状态字,有两种可能,一种是“字母”;一种是“数字”,如果是前者则一般就是字母“s”,表示一个控制传输,而如果是数字,他们的格式则分两种情况:
如果是中断传输,格式如下: URB status:interval,注意状态字段只对C类型的事件有意义,对S类型的事件没有意思。
如果是同步传输,格式如下:URB status:interval:{start frame}:{error count}
The status field is a decimal number, sometimes negative, which represents
a "status" field of the URB. This field makes no sense for submissions, but
is present anyway to help scripts with parsing. When an error occurs, the
field contains the error code.
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000
状态域:status就是struct urb结构体中的status字段,该字段直接说明当前的usb请求是否成功执行。所以只有在回调的时候才有意思。
In case of a submission of a Control packet, this field contains a Setup Tag
instead of an group of numbers. It is easy to tell whether the Setup Tag is
present because it is never a number. Thus if scripts find a set of numbers
in this word, they proceed to read Data Length (except for isochronous URBs).
If they find something else, like a letter, they read the setup packet before
reading the Data Length or isochronous descriptors.
e002e200 2999116113 S Ci:1:008:0 s c0 07 0000 1134 0004 4 <
字母“s”是控制传输的标志
- Setup packet, if present, consists of 5 words: one of each for bmRequestType,
bRequest, wValue, wIndex, wLength, as specified by the USB Specification 2.0.
These words are safe to decode if Setup Tag was 's'. Otherwise, the setup
packet was present, but not captured, and the fields contain filler.
即控制传输包的格式如下:
bmRequestType(请求类型):bRequest(请求号):wValue:wIndex(下标):wLength(数据字段的长度,如果为0,说明没有数据段)
- Number of isochronous frame descriptors and descriptors themselves.
If an Isochronous transfer event has a set of descriptors, a total number
of them in an URB is printed first, then a word per descriptor, up to a
total of 5. The word consists of 3 colon-separated decimal numbers for
status, offset, and length respectively. For submissions, initial length
is reported. For callbacks, actual length is reported.
- Data Length. For submissions, this is the requested length. For callbacks,
this is the actual length.
e002e200 2999116296 C Ci:1:008:0 04 = 8d2b0000
edda2b80 3500273622 C Ii:1:006:1 0:1 7 = 13050147 000100
- Data tag. The usbmon may not always capture data, even if length is nonzero.
The data words are present only if this tag is '='.
e002e200 2999116296 C Ci:1:008:0 0 4 =8d2b0000
- Data words follow, in big endian hexadecimal format. Notice that they are
not machine words, but really just a byte stream split into words to make
it easier to read. Thus, the last word may contain from one to four bytes.
The length of collected data is limited and can be less than the data length
reported in the Data Length word. In the case of an Isochronous input (Zi)
completion where the received data is sparse in the buffer, the length of
the collected data can be greater than the Data Length value (because Data
Length counts only the bytes that were received whereas the Data words
contain the entire transfer buffer).
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000
Examples:
An input control transfer to get a port status.
d5ea89a0 3575914555 S Ci:1:001:0 s a3 00 0000 0003 00044<
5ea89a0 3575914560 C Ci:1:001:0 0 4 = 01050000
对应控制传输的数据阶段的data IN传输,”01050000“即为数据 ,为4byte长度
An output bulk transfer to send a SCSI command 0x28 (READ_10) in a 31-byte
Bulk wrapper to a storage device at address 5:
dd65f0e8 4128379752 S Bo:1:005:2 -115 31 = 55534243 ad000000 00800000 80010a28 20000000 20000040 00000000 000000
dd65f0e8 4128379808 C Bo:1:005:2 0 31 > //指示这个bulk传输请求时成功的,并且实际也传输了31个byte的数据。
3 USB Sniffing with tcpdump
usbmon is a facility in kernel which is used to collect traces of I/O on the USB bus. usbmon collects raw text/binary which are not easily human-readable. Here, the idea is to use Wireshark as frontend to produces a human-readable representation of these data. However Wireshark does not support usbmon raw data as is, so we have to parse these data in the pcap format. tcpdump is a good candidate to capture USB data from usbmon and generate pcap traces
前提条件,是需要最新的tcpdump工具才行,有编译好的,可以直接download下来push到板子上就可以使用。也有可以自己手动来编译的。这里就不详细来说了。
步骤:
- mount -t debugfs none_debugs /sys/kernel/debug
- cat /sys/kernel/debug/usb/devices 确定usb的总线号
- tcpdump -D
1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.usbmon3 (USB bus number 3)
5.any (Pseudo-device that captures on all interfaces)
6.lo有以上红色部分输出,说明你的tcpdump已经安装下,可以正常使用
- tcpdump -i usbmon1 -w /data/usblog.pcap &
- killall tcpdump
- wireshark usblog.pcap //最好使用wireshark工具查看就可以了
上个图参考下,打开后是什么样子:
linux下的usb抓包方法【转】相关推荐
- linux下usb 抓包方法和数据分析
linux下的usb抓包方法 首先确保系统下安装usbmon 比如我们这里使用的是loongnix系统,root用户下 (1) yum install usbmon 之后按照提示安装就好. (2)终端 ...
- ubuntu下usb抓包方法步骤--usbmon
开发或者调试USB设备相关的工具或者驱动,一个调试的利器就是usbmon抓包. 在ubuntu下使用步骤如下: 1 运行命令 sudo mount -t debugfs none /sys/ke ...
- linux下怎么网络抓包
Linux下面如何用tcpdump抓包 很多时候我们的系统部署在Linux系统上面,在一些情况下定位问题就需要查看各个系统之间发送数据报文是否正常,下面我就简单讲解一下如何使用tcpdump抓包 tc ...
- linux下c语言抓包,C语言实现抓包工具
本文使用libpcap库在linux下面开发自定义抓包工具,同学们也可以在win下编写同样的代码. 抓包的目的: 1.分析协议 2.伪造数据包 3.获取重要信息,例如用户名和密码 4.做某些攻击使用 ...
- linux下C语言抓包程序,带图形界面
用c语言写了一个抓包器,图形界面是用gtk做的,我是在Linux系统中运行,不过gtk是跨平台的,应该在Windows下也能用. 功能: 捕获局域网内的所有数据包,并呈现在表格中,点击表格可以查看包的 ...
- linux下最全抓包命令使用方式学习和拓展
为什么要抓包?抓包有什么作用? 抓包的好处: 1,分析出当前服务器存在的漏洞,接口参数,防盗链,流量工具,ip伪造,参数篡改,钓鱼网站等. 抓包的作用:端到端联调,包括不限制语言的参数请求,只要走up ...
- linux下c语言抓包库libpcap
安装命令:sudo apt-get install libpcap-dev 由于自己还没仔细研究过,暂时也只是想在这里留个记录,方便以后需要时使用.下面是百度百科里的例子. [cpp] view pl ...
- linux下用tcpdump抓包
# 检查是否安装 which tcpdump # 安装 yum install -y tcpdump # tcpdump依赖于libpcap# tcpdump抓包 需要管理员权限 # 列出可以抓包的网 ...
- Linux源码实例,linux下常用二层抓包源码实例
#include #include #include #include #include /* the L2 protocols */ /* 其中socket_type可以是SOCK_DGRAM,SO ...
最新文章
- 【Qt】enum和QString的相互
- html菜鸟ruby,Ruby 循环
- Spring精华问答 | 为何使用Spring?
- react实现上传文件进度条功能_React.js 可拖放文件的上传表单(支持多文件和进度显示)...
- oracle sql 分区查询语句_Oracle 分区概述
- 【机器学习】监督学习--(回归)多项式回归
- Flask cookie
- Qt捕捉窗口关闭事件
- Note 7会让三星有什么样的命运呢?
- 【HANA系列】SAP HANA SQL获取字符串长度
- 【1.Delphi基础】1.Delphi程序设计入门
- DOM ------ 百度换肤
- 【笔记】华为P40手机谷歌play安装与测试笔记
- 列宽一字符等于多少厘米_excel里面的列宽和行高单位是多少?多少等于1厘米?怎么对比的?...
- unity构建游戏场景
- 星界边境机器人升级,星界边境作弊码分享
- [CodeForces] 274E Mirror Room
- Excel按相同列内容合并表
- JVM常见命令之jstack
- 【IoT】开放 IoT 平台:电信 NB-IoT 物联网开放平台与移动 oneNET 平台对比分析
热门文章
- 一个正执行的程序如何启动另一新程序并关闭现执行程序
- linux驱动:设备-总线-驱动(以TI+DM8127中GPIO为例)
- php中怎样阻止网页进行跳转,阻止php页面跳转方法
- java分代技术_JVM调优总结(六):分代垃圾回收详述2
- ajax iframe实现文件上传,iframe实现Ajax文件上传效果示例
- 深大计算机与科学,陆楠 - 深圳大学 - 计算机与软件学院
- pythonapi是什么_python接口自动化(一)--什么是接口、接口优势、类型(详解)...
- Eclipse启动失败:No java virtual machine was found after searching the follwing locations
- 把view或者div绘制 canvas ,导出图片功能实现完整源码附效果图(兼容H5和小程序)
- MHA二种高可用架构切换演练