2

I have a USB instrument, and I want to capture packets on it. I ran .\tshark.exe -D and the USB interface is number 6. then I ran the command: .\tshark.exe -c 100 -i 6 it seemed to capture the USB traffic from my device.

Then it occurred to me, that when this device is running, there may be multiple USB devices, hooked up to the system, and just specifying might not be enough. I know the Device ID(0x0009), and Vendor ID(0x08f7) how can I specify the exact device I want to capture, via tshark?

I am running tshark in the Windows 8 command line.

Improve this question
3
  • The capture filter expression may be something like usb.device_address == # perhaps and you just have to specify the device address for that value.
    – Vomit IT - Chunky Mess Style
    Commented Jul 8, 2016 at 1:18
  • 1
    how would I get the usb device address?
    – j0h
    Commented Jul 8, 2016 at 1:23
  • About getting the USB device address, I found osqa-ask.wireshark.org/questions/53919/… - "Simply put, there is no capture filter available for usb capturing, except the root hub (or "bus") number" ; "During USB enumeration phase, each USB device detected is assigned an ID like m.n, where m is the root hub number and n is the order number of the device to be identified. If you unplug a device and plug it again to the same physical port, it will keep the m but get a new n." ; "So your only chance is to use a display filter"
    – sdbbs
    Commented Sep 1, 2022 at 10:06

1 Answer 1

Reset to default
3

How do I capture device specific USB packets with tshark?

I know the Device ID(0x0009), and Vendor ID(0x08f7) how can I specify the exact device I want to capture, via tshark?

You might want to have a look at the tshark(1) - Linux man page and the tshark - Wireshark man page and the -f and -i switch options.

Additionally have a look at the Wireshark Capture Filters and the Wireshark USB Display Filter Reference which you may find useful in building applicable commands to filter and suit your needs.

You may be able to use a capture filter expression such as usb.device_address == # or usb.addr == # with the -f switch to tell the sniff to only capture packets from a particular USB device.

tshark - Wireshark man page

A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter expression. Capture filters are supported only when doing a live capture; read filters are supported when doing a live capture and when reading a capture file, but require TShark to do more work when filtering, so you might be more likely to lose packets under heavy load if you're using a read filter. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).

-f <capture filter>

Set the capture filter expression.

This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided.

source

tshark(1) - Linux man page

-i <capture interface>|-

Set the name of the network interface or pipe to use for live packet capture.

Network interface names should match one of the names listed in "tshark -D" (described above); a number, as reported by "tshark -D", can also be used. If you're using UNIX , "netstat -i" or "ifconfig -a" might also work to list interface names, although not all versions of UNIX support the -a option to ifconfig.

If no interface is specified, TShark searches the list of interfaces, choosing the first non-loopback interface if there are any non-loopback interfaces, and choosing the first loopback interface if there are no non-loopback interfaces. If there are no interfaces at all, TShark reports an error and doesn't start the capture.

Pipe names should be either the name of a FIFO (named pipe) or ''-'' to read data from the standard input. Data read from pipes must be in standard libpcap format.

Note: the Win32 version of TShark doesn't support capturing from pipes!

source

Improve this answer
2
  • This is a windows 8.1 operation but I'll look at the manpage if you think it will help
    – j0h
    Commented Jul 8, 2016 at 1:07
  • 1
    @j0h The command switches and options should work the same from the command line as the Linux man page. I also included the Wireshark tshark man page too. I think you just need to build your commands with the appropriate expression for the filter capturing of the USB device(s) you wish to capture. Otherwise the -i switch is supposed to be interface specific and the other links may be helpful in proper syntax to make it do that (one of the other; filter or -i switch). You might want to tag your question as Windows or Window 8.1.
    – Vomit IT - Chunky Mess Style
    Commented Jul 8, 2016 at 1:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .