Wireshark-dev: Re: [Wireshark-dev] What are the advantages given by the pseudo-header for usb p

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 3 Jun 2009 12:21:47 -0700

On Jun 3, 2009, at 2:25 AM, Jean-Louis wrote:

For usb packets the first 40 byte are cut off by packets data because
are used how pseudo-header. This means that the first 40 bytes of
packets isn't fetched from protocol tree.

Are you capturing with tcpdump or with Wireshark, TShark, or dumpcap?

If you're capturing with tcpdump, first make sure you specify the "-s" flag with an argument of 0 (i.e., "tcpdump -s 0 -i {USB device} -w {file name}"), so that tcpdump tells libpcap to capture the entire packet.

If you're capturing with Wireshark, TShark, or dumpcap, make sure you don't specify a "-s" flag and, in Wireshark, don't specify a "Limit each packet to {N} bytes" option in the Capture Options dialog. Wireshark, TShark, and dumpcap default to telling libpcap to capture the entire packet.

If libpcap has been told to capture the entire packet, and if it's using the binary interface for capturing USB packets, it will capture all the packet data *and* supply a pseudo-header. If it's using the text interface, that can't supply all the packet data - but that has nothing to do with the pseudo-header; the limit is on the amount of packet data provided by the USB monitoring code, and the USB pseudo- header just gets added to the packet at the beginning, along with all the packet data that the USB monitoring code makes available.

So, no, the first 40 bytes aren't being cut off by the pseudo-header in libpcap.

There are some bugs in libpcap 1.0.0, and in older versions of Wireshark 1.0.x, for capturing and displaying USB packets. Make sure your Wireshark is 1.0.8 or later, and that it's using the current top- of-Git-tree version of libpcap. Otherwise, we can't guarantee that it'll work.