Sniffing USB port on Linux

The linux kernel has a facility called “usbmon” which can be used to sniff the USB bus.
So the output is really easy to collect, even from the command line shell or using libpcap parser like tcpdump or wireshark.
Let’s see how we can do that:
Simply mount debugfs and load the usbmon module, if usbmon is built into the kernel.
$ sudo mount -t debugfs none_debugs /sys/kernel/debug
$ sudo modprobe usbmon
Verify that bus sockets are present.
$ sudo ls /sys/kernel/debug/usbmon
0s 0u 1s 1t 1u 2s 2t 2u 3s 3t 3u 4s 4t 4u

Now you can choose to either use the socket ‘0u’ (to capture packets on all buses),
or find the bus used by your device, so run
$ sudo cat /proc/bus/usb/devices
or may be
$ sudo lsusb
and find the T-line which corresponds to the device.
If my device is connected to the forth bus
Start ‘cat’ like this
$ sudo cat /sys/kernel/debug/usbmon/4u
With wireshark it’s more verbose so run, wireshark and select usbmon4 usb bus 4.

Happy sniffing,

Sniffing USB port on Linux

3 thoughts on “Sniffing USB port on Linux

  1. […] Flashing Red Light in Cradle : alexking.orgLindy USB Port Blocker: How It Prevents USB Data LeaksSniffing USB port on Linux var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-17226134-1']); _gaq.push(['_trackPageview']); […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s