USB Sniffing with tcpdump

From OMAPpedia

Revision as of 10:59, 25 May 2013 by Loic-Poulain (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

"usbmon" is a facility in kernel which is used to collect traces of I/O on the USB bus. usbmon collects raw text/binary which are not easily human-readable. Here, the idea is to use Wireshark as frontend to produces a human-readable representation of these data. However Wireshark does not support usbmon raw data as is, so we have to parse these data in the pcap format. tcpdump is a good candidate to capture USB data from usbmon and generate pcap traces.


[edit] Building tcpdump

To capture USB, it is necessary to have a recent version of tcpdump/libpcap. You can use the scripted or manual method to build tcpdump or directly get a pre-compiled binary. Android NDK is required for both scripted and manual building (available from

[edit] Pre-compiled binaries

[edit] Using the build-tcpdump script

The build-tcpdump is a download & build script for Linux systems. Download File:Build-tcpdump.tar.gz

$ export NDK=/path/to/ndk
$ sh build-tcpdump

If script succeeded, tcpdump binary is built and ready to use on Android ARM platform.

[edit] Building manually from source

This method is adapted for tcpdump 4.3.0 with android-ndk-r8 and may require some adaptations in other cases.

[edit] Prepare toolchain

$ mkdir tcpdump
$ mkdir tcpdump/toolchain
$ android-ndk-r8/build/tools/ --platform=android-8 --install-dir=tcpdump/toolchain
$ export PATH=`pwd`/tcpdump/toolchain/bin:$PATH
$ export CC=arm-linux-androideabi-gcc
$ export RANLIB=arm-linux-androideabi-ranlib
$ export AR=arm-linux-androideabi-ar
$ export LD=arm-linux-androideabi-ld

[edit] Get source

Get the latest source for libpcap and tcpdump from

$ wget
$ wget
$ tar -zxvf tcpdump-4.3.0.tar.gz
$ tar -zxvf libpcap-1.3.0.tar.gz

[edit] Build libpcap

$ cd libpcap-1.3.0
$ chmod +x configure
$ ./configure --host=arm-linux --with-pcap=linux ac_cv_linux_vers=2
$ make
$ cd ..

[edit] Build tcpdump

$ cd tcpdump-4.3.0
$ chmod +x configure
$ ./configure --host=arm-linux --with-pcap=linux --with-crypto=no ac_cv_linux_vers=2

Before compiling, you have to patch print-isakmp.c (setprotoent() and endprotoent() not "supported" on android).

$ sed -i".bak" "s/setprotoent/\/\/setprotoent/g" print-isakmp.c
$ sed -i".bak" "s/endprotoent/\/\/endprotoent/g" print-isakmp.c
$ make CFLAGS=-DNBBY=8

tcpdump binary is built and ready to use on Android ARM platform.

[edit] USB sniffing

Upload tcpdump on the Android target (adb push).

[edit] List Interfaces

$ tcpdump -D
2.usbmon1 (USB bus number 1)
3.any (Pseudo-device that captures on all interfaces)

[edit] USB capturing

Choose usbmonX to listen USB bus X and parse its USB traffic in a pcap file.

$ tcpdump -i usbmon1 -w /data/usblog.pcap &

To stop sniffing, kill tcpdump.

$ killall tcpdump

[edit] Wireshark

Retrieve pcap file from the target (adb pull) and open this file with Wireshark.

$ wireshark usblog.pcap

[edit] Example

USB traffic below was captured with tcpdump on OMAP5 platform on wich a USB mouse was plugged.


[edit] Appendices

[edit] Files

[edit] External Links

Loic-Poulain 14:16, 25 September 2012 (UTC)

Personal tools