On Jun 3, 2009, at 2:25 AM, Jean-Louis wrote:
For usb packets the first 40 byte are cut off by packets data because
are used how pseudo-header. This means that the first 40 bytes of
packets isn't fetched from protocol tree.
Are you capturing with tcpdump or with Wireshark, TShark, or dumpcap?
If you're capturing with tcpdump, first make sure you specify the "-s"
flag with an argument of 0 (i.e., "tcpdump -s 0 -i {USB device} -w
{file name}"), so that tcpdump tells libpcap to capture the entire
packet.
If you're capturing with Wireshark, TShark, or dumpcap, make sure you
don't specify a "-s" flag and, in Wireshark, don't specify a "Limit
each packet to {N} bytes" option in the Capture Options dialog.
Wireshark, TShark, and dumpcap default to telling libpcap to capture
the entire packet.
If libpcap has been told to capture the entire packet, and if it's
using the binary interface for capturing USB packets, it will capture
all the packet data *and* supply a pseudo-header. If it's using the
text interface, that can't supply all the packet data - but that has
nothing to do with the pseudo-header; the limit is on the amount of
packet data provided by the USB monitoring code, and the USB pseudo-
header just gets added to the packet at the beginning, along with all
the packet data that the USB monitoring code makes available.
So, no, the first 40 bytes aren't being cut off by the pseudo-header
in libpcap.
There are some bugs in libpcap 1.0.0, and in older versions of
Wireshark 1.0.x, for capturing and displaying USB packets. Make sure
your Wireshark is 1.0.8 or later, and that it's using the current top-
of-Git-tree version of libpcap. Otherwise, we can't guarantee that
it'll work.