Ubuntu
libpcap0.8 package

wireshark/libpcap does not support sniffing USB streams

Bug #355613 reported by Neil Wilson
20
This bug affects 3 people
Affects Status Importance Assigned to Milestone
libpcap0.8 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

The wireshark/tcpdump installed on Jaunty doesn't appear to support sniffing USB buses via the usbmon module.

libpcap0.8:
  Installed: 1.0.0-1
  Candidate: 1.0.0-1
  Version table:
 *** 1.0.0-1 0
        500 http://gb.archive.ubuntu.com jaunty/main Packages
        100 /var/lib/dpkg/status

wireshark:
  Installed: 1.0.6-1ubuntu1
  Candidate: 1.0.6-1ubuntu1
  Version table:
 *** 1.0.6-1ubuntu1 0
        500 http://gb.archive.ubuntu.com jaunty/universe Packages
        100 /var/lib/dpkg/status

tcpdump:
  Installed: 3.9.8-4ubuntu2
  Candidate: 3.9.8-4ubuntu2
  Version table:
 *** 3.9.8-4ubuntu2 0
        500 http://gb.archive.ubuntu.com jaunty/main Packages
        100 /var/lib/dpkg/status

See original description
Tags: wishlist
Neil Wilson (neil-aldur)
tags: added: wishlist
Revision history for this message
Neil Wilson (neil-aldur) wrote :

Actually it looks like it is an enumeration problem stopping wireshark getting the interfaces.

tcpdump -D shows:

root@neil-laptop:/var/log# tcpdump -D
1.eth0
2.wmaster0
3.wlan0
4.any (Pseudo-device that captures on all interfaces)
5.lo

tcpdump -i usb3 shows:

root@neil-laptop:/var/log# tcpdump -i usb3
tcpdump: Can't open USB bus file /sys/kernel/debug/usbmon/3t: Permission denied

with kern.log showing:

Apr 5 13:47:30 neil-laptop kernel: [ 3407.917155] type=1503 audit(1238935650.458:20): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=0 name="/dev/usbmon3" pid=5687 profile="/usr/sbin/tcpdump"
Apr 5 13:47:30 neil-laptop kernel: [ 3407.917194] type=1503 audit(1238935650.458:21): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=0 name="/sys/kernel/debug/usbmon/3t" pid=5687 profile="/usr/sbin/tcpdump"

So it looks like the facility is there - just not exposed in the user interface, nor allowed by the audit module.

Neil Wilson (neil-aldur)
description: updated
Revision history for this message
Daniel Brodie (dbrodie) wrote :

The problem is AppArmor just change it to complain:
# aa-complain /usr/sbin/tcpdump
(WARNING! This will disable apparmor for tcpdump, to reenable use:
# aa-enforce /usr/sbin/tcpdump)

Also you have to run tcpdump so that it will dump th eoutput to a file using the -w command:
# tcpdump -i usb1 -w output

Now you can open output in wireshark and everything will work fine...

Should a bug should be opened to change the default apparmor rule?
Also, shouldn't wireshark have a GUI for capturing from usb in the interfaces dialog?

Revision history for this message
Dan Lenski (lenski) wrote :

I don't think this problem is just with Jaunty. I'm having the same problem with Intrepid (found this while Googling for it).

Also, neither tcpdump nor wireshark will actually log the *contents* of the USB packets (aka URBs), merely things like the length and type of packet. Is this a problem with AppArmor, or with libpcap?

Revision history for this message
Evan Huus (eapache) wrote :

Capturing on USB buses works in Karmic (9.10), and there's no way this will be accepted as a stable release update for Jaunty.

Changed in libpcap0.8 (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.