USB sniffing in linux


[Robert] sent in this tutorial on how to set up USB sniffing in linux. Useful for seeing exactly what is being communicated to and from your USB devices, this ability is built into linux. [Bert], the author, shows us the steps involved and how to filter it to get the data we desire. You can specify exactly which device to capture data from. His example, shown above, is a session with an Arduino.


  1. Robert Liesenfeld says:

    Actually this is mis-attributed, it should be attributed to Bert Vermuelen, as he’s the one who actually put together the writeup!

  2. Caleb Kraft says:

    That has been fixed. thanks.

  3. Tim says:

    Ah never realised wireshark can do USB. A while ago I tried to reverse engineer the craft robo protocol using some command line scripts (I forget the name).

    I did actually manage to work out a decent amount of the protocol and I wrote a simple test program to draw a Koch curve. Then I got distracted.

  4. Greg says:

    I was trying this out and I had some issues. At the cat /sys/kernel/debug/usbmon/lu I get a “cat: lu: No such file or directory” so I went and check and the file is indeed there, I even moved to that folder and did a cat lu and same deal. Im not an advanced linux user so any help with this would be appreciated

  5. cde says:

    @ Greg, first, do a ls -halF in that directory, and tell us the permissions for the file.

    Then, do you have a usb device plugged in?

  6. Greg says:

    ah i figured it out i thought 1u (one u) was lu (L u) stupid mistake on my part. Thanks for the help though

  7. dan says:

    usb sniffing? is this like kitty huffing?

  8. Ynynymys says:

    another useful command line tool is lsusb. that came in handy while getting my touchscreen working on my eeepc

  9. lowkey says:

    Thanks for this – been looking for a how-to to sniff USB in order to get my Windows-driver-only USB scrolling LED marquee device working under Linux.

  10. joe57005 says:

    I can’t see how this can be useful to do on linux, don’t get me wrong, i love linux, but the only use i can see for this is reverse engineering proprietary usb devices/protocols, and most if not all proprietary devices run solely on windows. the device needs to be running like normal to understand how it communicates, and for that it requires winblows.

  11. thought says:

    I’m thinking the same thing as joe57005. It would be very useful if there was a way to get the device to run normally…issue a command w/proprietary app and watch the packets sent/received to/from the device. of course, you’d still need windows to run the proprietary app in most cases.

    The only other thing I can think of where this would be useful is if you are designing a USB device yourself. It could be extremely valuable as a debug tool during the software development phase.

  12. Doktor Jeep says:

    Hmph – no wireshark for suse linux. but the command lines work. very nice.

    wish i knew what i was looking at :-(

  13. andrei says:

    wouldn’t that work to sniff usb traffic between a connected device and a virtual box running windows ?

  14. blah says:

    are these only compatible with injection…or worth it without it.

  15. iblis says:

    Hmm, this might be handy for hacking out a way to communicate with my phone in Linux. It’s Motorola, but moto4lin, bitpim, and p2k all fail to talk to it.

    While Windows might be required for the initial reverse engineering, there’s always VMWare. :D

  16. Michael Lush says:

    Bit of necroposting here but I’ve been doing some work on sniffing USB with usbmon and came across this post.

    I was able to get usbmon working fine on my lappy with debian 6.0 but this failed
    when I moved it to my Raspberry Pi.

    Turned out that I was better off using the linux evtest to monitor /dev/input/event*
    there are also perl (Linux::Input) and python versions of it.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 96,764 other followers