Wireshark-users: Re: [Wireshark-users] USB filters and format ?

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 7 Apr 2010 15:50:05 -0700
On Apr 7, 2010, at 3:18 PM, Smilen Dimitrov wrote:

> Hi all,
> 
> I want to use wireshark (or tshark) to inspect USB traffic; and after 
> some problems with libpcap, I think I am getting USB data correctly now.
> 
> Where I am confused is how to make input filters; I have seen:
> 
> Wireshark · Display Filter Reference: USB -
> http://www.wireshark.org/docs/dfref/u/usb.html
> 
> And those work.. However, if I want to filter by frame number, I have to 
> use frame.number, which is in a different "class":

Yes, just as, for example, if you want to filter by IPv4 address, you'd use ip.src, ip.dst, or ip.addr, whereas if you want to filter by TCP port number, you'd use tcp.srcport, tcp.dstport, or tcp.port, which are in a different "class" from the ip.* field names.

> Now, in Wireshark GUI there are columns: "No.", "Time", "Source", 
> "Destination", "Protocol" and "Info" ... For all others but "No." (which 
> is, apparently, frame.number),

Yes, it is the frame number - for *all* protocols.

> I have no idea what the corresponding filters are for a USB packet!

"time" is the time stamp, which is "frame.time" or, if you want the time as "seconds since January 1, 1970, 00:00:00 UTC", "frame.epoch_time", at least in newer versions of Wireshark.  That's the case for *all* protocols.

> For example, "Source" for network traffic would be ip.src; but for usb, 
> neither usb.src.endpoint nor usb.dst.endpoint show anything. And I am in 
> particular interested in filtering by source and destination...

Unfortunately, there are no fields corresponding directly to source and destination.  There are fields "usb.endpoint_number", "usb.device_address", and "usb.bus_id".

For packets with an event type ("usb.urb_type") of "URB_SUBMIT ('S')", there is no source address, and the destination address is made from the device address and endpoint number; for all other packets, there is no destination address, and the source address is made from the device address and endpoint number.  There are also source and destination *port* columns that you can display; for URB_SUBMIT packets, there is no source port and the destination port is the endpoint number, and, for all other packets, there is no destination port and the source port is the endpoint number.  (No, I don't know why the address includes the endpoint, if the endpoint is also treated as a port.)

> If I click over one of those columns in Wireshark, and do, say, "Copy - 
> As Filter", I get:
> "Could not acquire information to build a filter!
> Try expanding or choosing another item."
> 
> The only one that works, is in fact "No." (with frame.number) column - 
> all others fail as above. It seems as if those fields are not even 
> defined for USB - but then, how can Wireshark render information for 
> those columns (and it does so fine?)

For the "Source" and "Destination" columns, see above.

For the "Time" column, see above - and note that if it doesn't work for USB, it won't work for *anything*; that field, and the way it's processed, is not USB-specific.

For the "Protocol" and "Info" columns, there are no corresponding fields for *any* protocol.

> I can also do Statistics/Conversations in Wireshark, and it does seem to 
> sort USB traffic by conversation - but if I again right-click on a 
> conversation and choose "Prepare a filter - Selected - A->B", then I get 
> a statement like:
> 
> "usb.sa==2.2 && usb.da==host"
> 
> which is strange, as usb.sa and usb.da do not exist in 
> http://www.wireshark.org/docs/dfref/u/usb.html ??? And indeed, trying to 
> apply that filter results with:
> 
> "Neither 'usb.sa' nor '2.2' are field or protocol names.
> The following display filter isn't a valid display filter:
> usb.sa==2.2 && usb.da==host
> See the help for a description of the display filter syntax."

If so, that's a bug.

> So, what sort of a filter sentence and fields could I use, to (say) 
> limit packet display to those with Source=2.2 and Destination=host?

	usb.device_address == 2 and usb.endpoint_number == 2