[chirp_devel] Portmon doc for 64bit windows?

Eric Shattow
Fri Apr 29 19:37:57 PDT 2016 

I've written a crude Wireshark dissector in LUA that strings together
data across URB_BULK requests.

>From Linux (Debian Stretch/testing):

Get the dissector script usb232.lua at: http://paste.debian.net/447366/

$ mkdir $HOME/.config/wireshark/plugins

Save the usb232.lua plugin in your Wireshark plugins directory (above).

$ lsusb | grep -i serial
Bus 008 Device 004: ID 050d:0103 Belkin Components F5U103 Serial Adapter [etek]

Make certain no other USB devices are on the same Bus number. This
usually means plugging your USB serial adapter into its own port i.e.
not after a hub.

$ lsusb | grep "Bus 008"
Bus 008 Device 004: ID 050d:0103 Belkin Components F5U103 Serial Adapter [etek]
Bus 008 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

This is fine because the root hub itself doesn't likely send any
URB_BULK messages which would confuse the Wireshark dissector script.

$ sudo modprobe usbmon

Run tcpdump as root for access to /dev/usbmon8 (as in Bus 008 above)

$ sudo tcpdump -i usbmon8 -w output.pcap

Break (ctrl-c) when done to quit tcpdump and finalize the capture file.

Change owner of output file to your user account

$ sudo chown $USER. output.pcap

Run Wireshark and open the capture file.

$ wireshark output.pcap

Apply a display filter 'usb232'.

File|Export Packet Dissections|As Plain Text... "export.txt" with options:
All packets, Displayed, No Summary line, No Details, Yes Bytes.

The output is cluttered with the USB protocol Frames which we don't
care about. I'm not sure yet how to do this better from Wireshark but
we can simply post-process to clean this up.

Remove the packet Field data leaving only RS232 bytes:
$ sed -i -e '/Frame/,/RS232/{//!d}' -e '/Frame/d' export.txt

See example output (AT3318UV-E radio 168kb) at:
http://paste.ubuntu.com/16138458/

Eric

On Tue, Apr 26, 2016 at 8:20 PM, Eric Shattow <lucent at gmail.com> wrote:
> This analysis can be directly in Wireshark by writing a dissector for
> your USB serial device; the Linux kernel sources tell us details of
> many USB serial devices. I'll do my best to help when someone can get
> this started:
>
> wireshark-2.0.3/epan/dissectors/packet-usb-com.c
>
> as an example of a dissector.  Also possible is to write this in LUA
> language but when I started this way I discovered some unexpected
> behavior / bugs in wireshark 1.9.x LUA support; maybe these are fixed
> now, but for inclusion into wireshark upstream we should target the
> upstream C source code tree.
>
> Even without a dissector you should be able to apply a filter:
>
> "usb.capdata and usb.bus_id==8 and usb.device_address==2"
>
> where 8 and 2 are values from the Linux host in 'dmesg' or 'lsusb'
> output. This gives all transactions where there is more data than the
> existing USB dissectors can handle, and should be mostly the RS232
> data payload we're interested in.
>
> Eric
>
> On Tue, Apr 26, 2016 at 11:44 AM, Pavel Milanes (CO7WT) via
> chirp_devel <chirp_devel at intrepid.danplanet.com> wrote:
>> Hi to all,
>>
>> Interesting topic, and interesting tip about Wireshark doing USB capture, I
>> will give that a try and see how they pack the usb protocol in the pcap
>> format or whatever format they doit, maybe we can unpack that format in to a
>> kind of log...
>>
>> David, I used one time in the past a serial capture tool for Windows 8 @64
>> bits from the Internet (I don't remember the name now) but it was a "limited
>> time you has to buy after 30 days" kind of tool, that may work for a short
>> time frame but isn't a solution on the long term.
>>
>> 73
>>
>> El 26/04/16 a las 14:08, David Ranch via chirp_devel escribió:
>>
>>
>> Using wireshark would be excellent from my perspective but  I don't know if
>> people who might have written tools against the output of Portmon would work
>> with a PCAP capture.
>>
>> Marco / Pavel:  Any thoughts here?
>>
>> --David
>> KI6ZHD
>>
>>
>> _______________________________________________
>> chirp_devel mailing list
>> chirp_devel at intrepid.danplanet.com
>> http://intrepid.danplanet.com/mailman/listinfo/chirp_devel
>> Developer docs: http://chirp.danplanet.com/projects/chirp/wiki/Developers
>>
>>
>>
>> _______________________________________________
>> chirp_devel mailing list
>> chirp_devel at intrepid.danplanet.com
>> http://intrepid.danplanet.com/mailman/listinfo/chirp_devel
>> Developer docs: http://chirp.danplanet.com/projects/chirp/wiki/Developers

More information about the chirp_devel mailing list