Re: Raw USB capturing with libpcap 1.1?

[Guy Harris <guy () alum mit edu>]

On Apr 1, 2010, at 1:04 PM, Chris Maynard wrote:

> I was under the impression that libpcap allowed one to capture raw USB traffic
> (See http://wiki.wireshark.org/CaptureSetup/USB).  However, with libpcap 1.1, 
> this doesn't seem to work as I get an error from pcap_compile() with 
> pcap_geterr() returning, "USB link-layer type filtering not implemented".

What string are you passing to pcap_compile()?
>  
> Looking at the libpcap source code in gencode.c:gen_linktype(), it seem would 
> seem to me that this really is the case and that it's not supported.

        XXX link-layer type filtering not implemented

and

        capturing on XXX not implemented

are different.

You can capture raw USB traffic with libpcap 1.x on Linux.  You just can't do any filtering with expressions that test 
anything other than the raw data.

> Can anyone comment?  Was it supported at one point but support was removed?

No.  It was never supported.

> Or am I just doing something wrong?

If you're passing to pcap_compile() a string that includes any filter primitives other than the "{expr} {relop} {expr}" 
primitives mentioned in the pcap-filter man page, or where any of the "special packet data accessors" 
({proto}[{expr}:{size}]) have a {proto} other than "link", yes, you're doing something wrong - that's not supported for 
USB (or IrDA or DOCSIS or LAPD or Bluetooth or IEEE 802.15.4 or IEEE 802.16 or AX.25 or CANbus or...).-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.