Wireshark-dev: [Wireshark-dev] usb decoding

From: Gordon McNutt <gmcnutt@xxxxxxxxxxxxxxx>
Date: Wed, 09 Jul 2008 16:55:39 -0600
Hello all,

I'm interested in translating USB capture files from Total Phase Beagle
USB analyzers into something wireshark will display. The Beagle comes
with a GUI for displaying traffic, but wireshark would be cool because
it could dissect what's going on inside the usb traffic (eg, SCSI, PPP,
etc).

My initial plan is just to write a translater for .bgl to .pcap, but I
need to figure out which dissector to target when I'm writing packet
entries in .pcap. Maybe later I can write a capture plugin so Wireshark
can drive the beagle directly.

It looks like my current choice of dissectors are USB Raw (dlt 186) or
USB with Linux encapsulation (dlt 189).

The linux encapsulation appears to be the one with the best existing
support, as the usb raw displays don't show a heck of a lot other than
the data, and my poking around on the web suggests that dlt 189 was an
early version.

The linux encapsulation displays are better, but they are definitely
oriented around displaying what is happening in the usb driver stack
(what with the request/response stuff) as opposed to what a bus analyzer
shows, which is more like the straightforward traffic that wireshark's
ethernet displays show (timestamp:data).

Ideally what I want is to show plain old usb traffic just like ethernet,
either with literal packet display (eg, an IN packet on one line, then a
DATA0 packet with a payload on the next, then an ACK or NAK packet on
the next) or maybe with transaction display (With IN/DATA0/ACK all on
the same line).

So, I finally get around to my questions:

1. Is dlt 189 a development dead end?

2. Was dlt 189 also oriented around submit/response, or was it more
suitable to what I'd like to do?

3. Should I just reserve a new dlt number and make a new dissector?

Regards,
--Gordon