Thursday, January 12, 2017

Wireshark question: How to get Wireshark to see usbmon0?

I seem to have a habit of embarking on projects and getting to a point at which neither I nor anyone else seems able to find an answer.
Typically, I then go find a forum to post a question. This usually works. But this time it has not.
So, it occurred to me, since all my hours of Googling have failed me, perhaps I should try having Google do the work by posting the question to a blog. That way, anyone halfway interested in the components of my question will be directed here.It may be gratifying to them to know that someone else has the same problem. Perhaps then we can all contribute and we all win.
So here goes. I'll let you know how it works out... If you have thoughts please leave comments by clicking Comments at the bottom of the post. Thanks in advance.
How to get Wireshark to see usbmon0?
 ls -l /dev/usbmon shows 
crw-r--r-- 1 root root 248, 0 Jan 10 14:50 /dev/usbmon0 
crw-r--r-- 1 root root 248, 1 Jan 10 14:50 /dev/usbmon1 
crw-r--r-- 1 root root 248, 2 Jan 10 14:50 /dev/usbmon2
but Wireshark only sees the latter two.
1. We have a piece of boat gear (RayMarine C120W) that bridges NMEA 0183 (ASCII) and EtherNet ("SeaTalk-HS") data for transmission to Windows software (RayTech Navigation System—RNS). The bridged data are wired to a DB-9F chassis connector near the laptop. We did have a Serial to Ethernet cable that connected to an older laptop running the software that had an Ethernet Socket. It worked fine.
2. We have not touched the boat wiring, but have lost the cable and necessarily moved the software to a new laptop (openSUSE Leap 42.1 Linux) that does not have an Ethernet socket, only USB.
3. We have a Gigaware 2603487 USB-A to Serial Cable. It is recognized by the laptop and connected to ttyUSB0. We can read that port at the command line interface—CLI—with cat /dev/ttyUSB0 and see the NMEA 0183 ASCII sentences but not the Ethernet stream. 
3.1 I understand that the EtherNet traffic is higher frequency and multiplexed, yada yada, so will address that aspect ("EtherNet over USB") in due course, but first we need Wireshark to see the basic USB data that we can see on the CLI (presumably on usbmon0) to ensure that Wireshark is reading the USB connection.
4. We have laboriously followed and many of its adherents, particularly — yes, they misspelled Wireshark. As a result we have:
4.1 Sorted out usbmon. It needs to be restarted after each reboot (modprobe usbmon), a PITA we'll address later.
4.2 Added the requisite capabilities to dumpcap
4.3 Changed permissions as directed (644) on /dev/usbmon*, added the wireshark group and added the user to the group.
4.4. Configured Wireshark for non-root use, but that shows the same results as running it as root (yes, I know, a no-no).
5. says the special "usbmon0" interface receives events from all USB buses.
5.1 After a new modprobe usbmon after a reboot ls -l /dev/usbmon* returns
crw-r--r-- 1 root root 248, 0 Jan 10 14:50 /dev/usbmon0 
crw-r--r-- 1 root root 248, 1 Jan 10 14:50 /dev/usbmon1 
crw-r--r-- 1 root root 248, 2 Jan 10 14:50 /dev/usbmon2
so others (user, wireshark group) should be able to read.
5.2 So indeed usbmon0 exists but it does not appear in Wireshark. Wireshark only shows usbmon1 and usbmon2.  Neither has any interesting traffic, certainly not the ASCII stream that we can see on the CLI.
6. We have attempted using a USB connected EtherNet to USB adapter with a Serial to Ethernet cable. It is recognized by the OS and Wireshark sees it as eth0 but there is zero traffic on it.
We can proceed further with EtherNet over USB once we have determined that Wireshark can read usbmon0 (ttyUSB0).
How to get Wireshark to see usbmon0?

No comments: