On 1/20/07, Ulf Lamping <ulf.lamping@xxxxxx> wrote:
IMHO, adding a preference for this is suboptimal - one needs to know
that this is existing and which setting is required for the current file
- and if you are working with both formats (Windows usbsnoop and Linux
capture files) you'll have to change this setting all the time.
Is there a better way to detect this at runtime? Maybe a field in the
data that only makes sense in one endianess to automatically detect it?
Or change the endianess while converting to libpcap?
Hi Ulf,
agreed, it is suboptimal - but then again, the fact that usbmon swaps
the bytes from the standard order is not the greatest idea, either.
You're probably right, the simplest way is probably to accept the
current libpcap format as the de facto standard, and convert to that
format.
BTW: Could you give some more general infos?
Which usbsnoop do you use? Please with URL, there seems to be more than
one version out there.
http://benoit.papillault.free.fr/usbsnoop/index.php.en (v1.8)
How do you convert the file using text2pcap (which settings / scripts)?
um, vi :-)
I did that as a proof-of-concept, but I have a couple of script
fragments that extract various parts out of usbsnoop logfiles. Those
could easily be expanded, though.
Maybe adding the file format directly into wiretap (ok, long term goal)?
The format looks like this:
[229 ms] UsbSnoop - DispatchAny(f78e6610) : IRP_MJ_INTERNAL_DEVICE_CONTROL
[229 ms] UsbSnoop - MyDispatchInternalIOCTL(f78e7e80) : fdo=84dfebf8,
Irp=84b6aad0, IRQL=0
[229 ms] >>> URB 1 going down >>>
-- URB_FUNCTION_GET_DESCRIPTOR_FROM_DEVICE:
TransferBufferLength = 00000012
TransferBuffer = 86389e28
TransferBufferMDL = 00000000
Index = 00000000
DescriptorType = 00000001 (USB_DEVICE_DESCRIPTOR_TYPE)
LanguageId = 00000000
and there are a lot of special cases (e.g. on the "down" URBs, the
setup packet is not part of the trace, but it is included on the "up"
URB), so for now, a script would be the most flexible way to convert
to text/pcap.
Your suggestion below about having usbsnoop write directly to libpcap
format has a lot of merit, though.
Did you notice the Wiki page already existing about this topic? You
might add some notes to http://wiki.wireshark.org/CaptureSetup/USB about
your current progress.
Once I get somewhere on automating the process, I will definitely put
my notes there.
Do you see a chance to convince the usbsnoop author(s) to export
directly to libpcap format? It might be in their own interest ;-)
Last release of usbsnoop was in 2003 - any changes along those lines
might have to come from someone other than the original author. You're
right, though - it can't hurt to ask.
--
- Charles Lepple