Wireshark mailing list archives

Re: How to re-assemble contents of a USB upload?

From: Svenn Are Bjerkem <svenn.bjerkem () googlemail com>
Date: Tue, 28 Jun 2011 23:14:55 +0200

On 28 June 2011 22:33, Chris Maynard <Chris.Maynard () gtech com> wrote:

tshark -r yourusbcapturefile.pcap -R "usb.transfer_type == 3 &&
usb.endpoint_number.direction == 0 && usb.device_address == 0x40" -T fields -e
usb.capdata


$> tshark -v
TShark 1.4.6

I got an error message that usb.endpoint_number.direction == 0 is not
supported, but based on your suggested use of tshark, and looking at
the capture file in wireshark and usb fields available in the filter
expression dialog, I came up with:

tshark -r capfile -R "usb.transfer_type == 2 && usb.data_len == 512"
-T fields -e usb.capdata

and got the firmware. The filter is now possibly a bit more sloppy,
but I have only the firmware upload in my capture file so other data
with length 512 is not present. Anyway, now I can go on and learn more
about filtering

Thanks a lot, and cheers
-- 
Svenn
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

How to re-assemble contents of a USB upload? Svenn Are Bjerkem (Jun 19)
- Re: How to re-assemble contents of a USB upload? Chris Maynard (Jun 28)
  - Re: How to re-assemble contents of a USB upload? Svenn Are Bjerkem (Jun 28)
    - Re: How to re-assemble contents of a USB upload? Svenn Are Bjerkem (Jun 28)
    - Re: How to re-assemble contents of a USB upload? Chris Maynard (Jun 28)