wireshark/libpcap does not support sniffing USB streams
Bug #355613 reported by
Neil Wilson
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpcap0.8 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
The wireshark/tcpdump installed on Jaunty doesn't appear to support sniffing USB buses via the usbmon module.
libpcap0.8:
Installed: 1.0.0-1
Candidate: 1.0.0-1
Version table:
*** 1.0.0-1 0
500 http://
100 /var/lib/
wireshark:
Installed: 1.0.6-1ubuntu1
Candidate: 1.0.6-1ubuntu1
Version table:
*** 1.0.6-1ubuntu1 0
500 http://
100 /var/lib/
tcpdump:
Installed: 3.9.8-4ubuntu2
Candidate: 3.9.8-4ubuntu2
Version table:
*** 3.9.8-4ubuntu2 0
500 http://
100 /var/lib/
Actually it looks like it is an enumeration problem stopping wireshark getting the interfaces.
tcpdump -D shows:
root@neil- laptop: /var/log# tcpdump -D
1.eth0
2.wmaster0
3.wlan0
4.any (Pseudo-device that captures on all interfaces)
5.lo
tcpdump -i usb3 shows:
root@neil- laptop: /var/log# tcpdump -i usb3 debug/usbmon/ 3t: Permission denied
tcpdump: Can't open USB bus file /sys/kernel/
with kern.log showing:
Apr 5 13:47:30 neil-laptop kernel: [ 3407.917155] type=1503 audit(123893565 0.458:20) : operation= "inode_ permission" requested_ mask="r: :" denied_mask="r::" fsuid=0 name="/dev/usbmon3" pid=5687 profile= "/usr/sbin/ tcpdump" 0.458:21) : operation= "inode_ permission" requested_ mask="r: :" denied_mask="r::" fsuid=0 name="/ sys/kernel/ debug/usbmon/ 3t" pid=5687 profile= "/usr/sbin/ tcpdump"
Apr 5 13:47:30 neil-laptop kernel: [ 3407.917194] type=1503 audit(123893565
So it looks like the facility is there - just not exposed in the user interface, nor allowed by the audit module.