Sniffing

USB Sniffing

First, we need to add some module in the kernel

sudo modprobe usbmon
sudo mount -t debugfs none /sys/kernel/debug/usb

Now, we need to identify the bus of the USB we which to sniff:

lsusb -v | grep -i 'Bus 0'
Couldn't open device, some information will be missing
Bus 004 Device 007: ID 0bda:8153 Realtek Semiconductor Corp. RTL8153 Gigabit Ethernet Adapter
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Bus 004 Device 006: ID 0bda:0413 Realtek Semiconductor Corp. Dell dock
Bus 004 Device 005: ID 0bda:0487 Realtek Semiconductor Corp. Dell dock
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Couldn't open device, some information will be missing
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Couldn't open device, some information will be missing
Bus 001 Device 003: ID 0bda:565a Realtek Semiconductor Corp. Integrated_Webcam_HD
Couldn't open device, some information will be missing
: ID 2ccf:0854 Hypersecu HyperFIDO
Couldn't open device, some information will be missing

In our case, we are going to sniff the device Hypersecu HyperFIDO: Bus 001 Device 022 Now, we can read the device 022 connected to the bus 1. With the mount we did:

ls /sys/kernel/debug/usb/usbmon/
0s  0u  1s  1t  1u  2s  2t  2u  3s  3t  3u  4s  4t  4u

cat /sys/kernel/debug/usb/usbmon/1u
ffff9dc18bf50cc0 3763553484 C Ii:1:022:5 0:8 8 = 00002500 00000000
ffff9dc18bf50cc0 3763553572 S Ii:1:022:5 -115:8 8 <
ffff9dc18bf50cc0 3763569364 C Ii:1:022:5 0:8 8 = 00000000 00000000
ffff9dc18bf50cc0 3763569386 S Ii:1:022:5 -115:8 8 <
ffff9dc18bf50cc0 3763593354 C Ii:1:022:5 0:8 8 = 00002500 00000000
ffff9dc18bf50cc0 3763593372 S Ii:1:022:5 -115:8 8 <
ffff9dc18bf50cc0 3763609362 C Ii:1:022:5 0:8 8 = 00000000 00000000
ffff9dc18bf50cc0 3763609370 S Ii:1:022:5 -115:8 8 <
88ffff9dc18bf50cc0 3763633354 C Ii:1:022:5 0:8 8 = 00002500 00000000
ffff9dc18bf50cc0 3763633368 S Ii:1:022:5 -115:8 8 <
8ffff9dc18bf50cc0 3763649352 C Ii:1:022:5 0:8 8 = 00000000 00000000
ffff9dc18bf50cc0 3763649364 S Ii:1:022:5 -115:8 8 <
ffff9dc18bf50cc0 3763673356 C Ii:1:022:5 0:8 8 = 00002500 00000000
ffff9dc18bf50cc0 3763673366 S Ii:1:022:5 -115:8 8 <
8ffff9dc18bf50cc0 3763689354 C Ii:1:022:5 0:8 8 = 00000000 00000000
ffff9dc18bf50cc0 3763689368 S Ii:1:022:5 -115:8 8 <
ffff9dc18bf50cc0 3763713384 C Ii:1:022:5 0:8 8 = 00002500 00000000
ffff9dc18bf50cc0 3763713431 S Ii:1:022:5 -115:8 8 <
8ffff9dc18bf50cc0 3763729342 C Ii:1:022:5 0:8 8 = 00000000 00000000
ffff9dc18bf50cc0 3763729392 S Ii:1:022:5 -115:8 8 <
ffff9dc18bf50cc0 3763753475 C Ii:1:022:5 0:8 8 = 00002500 00000000
ffff9dc18bf50cc0 3763753538 S Ii:1:022:5 -115:8 8 <
8ffff9dc18bf50cc0 3763769379 C Ii:1:022:5 0:8 8 = 00000000 00000000
ffff9dc18bf50cc0 3763769428 S Ii:1:022:5 -115:8 8 <

We have different data and we see the device 022. We also can do with TCPDump or Wireshark: tcpdump -i usbmon1 -> because it's the bus 01 And we can filter the source device like that:

usb.src[0] == "1" && usb.src[1] == "." && usb.src[2] == "2" && usb.src[3] == "2"

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search