【轉載】linux下的usb抓包方法

時間 2019-11-10

標籤轉載 linux usb 抓包方法欄目 Linux 简体版

原文原文鏈接

1 linux下的usb抓包方法

一、配置內核使能usb monitor：linux

make menuconfig
Device Drivers -->
USB Support -->
USB Monitor --> Select * not M
二、build kernel
sudo insmod /lib/modules/3.2.1/kernel/drivers/usb/mon/usbmon.koandroid

三、啓動內核後執行
#mount -t debugfs none_debugs /sys/kernel/debug

檢查是否存在目錄 /sys/kernel/debug/usb/usbmon
#ls /sys/kernel/debug/usb/usbmonapp

                   0s 0u 1s 1t 1u 2s 2t 2u 3s 3t 3u

                  # cat /sys/kernel/debug/usb/devices 肯定你要監視的usb設備所在總線號和設備號
                   # 選擇包含有 : Vendor=148f ProdID=5370 Rev= 1.01 的段落
# as follows:
# T: Bus=01Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0
# D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
# P: Vendor=148f ProdID=5370 Rev= 1.01
# S: Manufacturer=Ralink
# S: Product=802.11 n WLAN
# S: SerialNumber=1.0
# C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=450mA
# I:* If#= 0 Alt= 0 #EPs= 5 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtusbSTA
# E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
# E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
#   能夠從第一行看到 Bus= 01,設備號是2
                   less

四、保存 usb raw packet ，若是總線號是1，則是1u，若是總線號是2，則是2u，依次類推。特殊狀況是0u表示監聽全部總線
if (Bus == 01)
sudo cat /sys/kernel/debug/usb/usbmon/1u > ./rt5370-UsbMon.txt
else if (Bus == 02)
sudo cat /sys/kernel/debug/usb/usbmon/2u > ./rt5370-UsbMon.txt

2 抓的usb包的格式解析

The usbmon reports requests made by peripheral-specific drivers to Host
Controller Drivers (HCD). So, if HCD is buggy, the traces reported by
usbmon may not correspond to bus transactions precisely. This is the same
situation as with tcpdump.frontend

上面的基本說明了usbmon主要的工做原理，他會把usb host drivers發送到hcd的全部請求（usb_submit_urb）和請求的回調內容（即改請求對應的回調函數：urb->complete）都報告出來。tcp

Any text format data consists of a stream of events, such as URB submission（S）,
URB callback（C）, submission error（E）. Every event is a text line, which consists
of whitespace separated words. The number or position of words may depend
on the event type, but there is a set of words, common for all types.

因此這裏的URB submission便是對應usb host drivers中的usb_submit_urb(urb, mem_flags)

而URB callback即便對應urb的回掉函數：urb->complete

因此咱們會看到even type爲S的和緊鄰的event type爲C的事件，他們對應的URB tag都是同樣的

由於他們都是針對同一個URB而言的。

先給出三個列子：

eea76f80 3474782286 S Ii:1:003:3 -115:128 16 <
edda2b80 3474786256 C Ii:1:006:1 0:1 16 = 2fff0180 d6ef206e 1401020c 015aab73
e11c9280 3500399358 S Co:1:006:0 s 20 00 0000 0000 0007 7 = 370c0447 00401f
e11c9280 3500399866 C Co:1:006:0 0 7 >

Here is the list of words, from left to right:

- URB Tag. This is used to identify URBs, and is normally an in-kernel address
of the URB structure in hexadecimal, but can be a sequence number or any
other unique string, within reason.

通常就是在usb host driver中分配的urb的內核地址，通常經過以下函數來分配：

urb = usb_alloc_urb(0, mem_flags);ide

因爲一個urb對應一個端口，因此同一個端口他們的urb tag都是同樣的。
002e2002999116296 C Ci:1:008:0 0 4 = 8d2b0000

Timestampin microseconds, a decimal number. The timestamp's resolution
depends on available clock, and so it can be much worse than a microsecond
(if the implementation uses jiffies, for example).
e002e200 2999116296Ci:1:008:0 0 4 = 8d2b0000函數

注意單位是微秒。

- Event Type. This type refers to the format of the event, not URB type.
Available types are:S - submission, C - callback, E - submission error.
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000工具

表示的意思是：usb host drivers經過usb_submit_urb函數向linuxusb core提交了一個urb傳輸請求，咱們知道全部的usb傳輸，都是host端主動發起的，因此必需要有host drivers主動發出submit urb的動做

- "Address" word (formerly a "pipe"). It consists of four fields, separated by
colons: URB type and direction, Bus number, Device address, Endpoint number.
Type and direction are encoded with two bytes in the following manner:
  Ci Co   Control input and output
  Zi Zo   Isochronous input and output
  Ii Io   Interrupt input and output
  Bi Bo   Bulk input and output
Bus number, Device address, and Endpoint are decimal numbers, but they may
have leading zeros, for the sake of human readers.大數據

因此地址字段的格式是以下：

URB type and direction：Bus number：Device address：Endpoint number

以下列子：
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000

意思是：控制傳輸輸入，總線號爲1，設備地址爲008，因爲全部的控制傳輸都是在endpoint 0上的，因此最後的端口天然也是0了。

這裏須要注意，因爲咱們的這個抓包命令，只能指定是抓哪一個總線上，但同一個總線一般會有不少usb設備的，若是咱們只是關注特定的某個usb設備的話，我本身就須要留意設備地址字段，經過這個字段，咱們就能夠區分這個傳輸是否是咱們要監聽的設備發送出來的。

例以下面一段usb sniffer log：

edda2b80 3500379613 C Ii:1:006:1 0:1 8 = 0e06010d 08004700
edda2b80 3500394156 S Ii:1:006:1-115:1 16 <
eea76f80 3500394226 C Ii:1:003:3 0:128 16 = a12a0000 01000800 00e1f505 00e1f505
eea76f80 3500394236 S Ii:1:003:3 -115:128 16 <

一樣都是usb總線1下面的，因爲一個usb總線就對應一個usb host controller，但一個設備地址是006，另外一個則是003，前者對應的是usb bluetooth dongle的中斷傳輸，然後者則是usb鼠標的中斷傳輸，他們接在同一個總線的usb hub下面。咱們真正須要監聽只是usb bluetooth dongle，因此就能夠不受usb鼠標的干擾。

- URB Status word. This is either a letter, or several numbers separated
by colons: URB status, interval, start frame, and error count. Unlike the
"address" word, all fields save the status are optional. Interval is printed
only for interrupt and isochronous URBs. Start frame is printed only for
isochronous URBs. Error count is printed only for isochronous callback
events.
這裏的意思就是，urb的狀態字，有兩種可能，一種是「字母」；一種是「數字」，若是是前者則通常就是字母「s」，表示一個控制傳輸，而若是是數字，他們的格式則分兩種狀況：

若是是中斷傳輸，格式以下： URB status：interval，注意狀態字段只對C類型的事件有意義，對S類型的事件沒有意思。

若是是同步傳輸,格式以下：URB status：interval：{start frame}：{error count}

The status field is a decimal number, sometimes negative, which represents
a "status" field of the URB. This field makes no sense for submissions, but
is present anyway to help scripts with parsing. When an error occurs, the
field contains the error code.
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000

狀態域：status就是struct urb結構體中的status字段，該字段直接說明當前的usb請求是否成功執行。因此只有在回調的時候纔有意思。

In case of a submission of a Control packet, this field contains a Setup Tag
instead of an group of numbers. It is easy to tell whether the Setup Tag is
present because it is never a number. Thus if scripts find a set of numbers
in this word, they proceed to read Data Length (except for isochronous URBs).
If they find something else, like a letter, they read the setup packet before
reading the Data Length or isochronous descriptors.
e002e200 2999116113 S Ci:1:008:0 s c0 07 0000 1134 0004 4 <

字母「s」是控制傳輸的標誌

- Setup packet, if present, consists of 5 words: one of each for bmRequestType,
bRequest, wValue, wIndex, wLength, as specified by the USB Specification 2.0.
These words are safe to decode if Setup Tag was 's'. Otherwise, the setup
packet was present, but not captured, and the fields contain filler.

即控制傳輸包的格式以下：

bmRequestType（請求類型）：bRequest（請求號）：wValue：wIndex（下標）：wLength（數據字段的長度，若是爲0，說明沒有數據段）

e11c9280 3500399358 S Co:1:006:0 s 20 00 0000 0000 0007 7 = 370c0447 00401f

e11c9280 3500399866 C Co:1:006:0 0 7 > //表示上面的控制傳輸請求成功，而且實際傳輸了7個btye的數據，僅表示狀態，不對應具體的控制傳輸階段

20 00 0000 0000 0007對應控制傳輸的setup階段， 370c0447 00401f對應控制傳輸的數據階段（OUT傳輸），數據長度是7個字節

- Number of isochronous frame descriptors and descriptors themselves.
If an Isochronous transfer event has a set of descriptors, a total number
of them in an URB is printed first, then a word per descriptor, up to a
total of 5. The word consists of 3 colon-separated decimal numbers for
status, offset, and length respectively. For submissions, initial length
is reported. For callbacks, actual length is reported.

- Data Length. For submissions, this is the requested length. For callbacks,
this is the actual length.
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000

又以下：

edda2b80 3500272851 S Ii:1:006:1 -115:1 16 <
edda2b80 3500273622 C Ii:1:006:1 0:1 7 = 13050147 000100

第一句是發起一個請求長度爲16字節的usb中斷傳輸請求，該字段通常在端點描述符中會說明該管道所支持的最大數據包大小

第二句是該中斷傳輸請求實際返回的數據則只有7個字節，即對應urb->actual_length字段

以上兩句對應一個中斷IN傳輸

- Data tag. The usbmon may not always capture data, even if length is nonzero.
The data words are present only if this tag is '='.
e002e200 2999116296 C Ci:1:008:0 0 4 =8d2b0000

data tag就是「=」，表示有數據段，「=」號後面就是具體的數據內容

- Data words follow, in big endian hexadecimal format. Notice that they are
not machine words, but really just a byte stream split into words to make
it easier to read. Thus, the last word may contain from one to four bytes.
The length of collected data is limited and can be less than the data length
reported in the Data Length word. In the case of an Isochronous input (Zi)
completion where the received data is sparse in the buffer, the length of
the collected data can be greater than the Data Length value (because Data
Length counts only the bytes that were received whereas the Data words
contain the entire transfer buffer).
e002e200 2999116296 C Ci:1:008:0 0 4 = 8d2b0000

Examples:
An input control transfer to get a port status.
d5ea89a0 3575914555 S Ci:1:001:0 s a3 00 0000 0003 00044<

「 a3 00 0000 0003 0004」對應控制傳輸的setup階段，「4」對應控制傳輸的數據階段長度
5ea89a0 3575914560 C Ci:1:001:0 0 4 = 01050000
對應控制傳輸的數據階段的data IN傳輸，」 01050000「即爲數據，爲4byte長度

An output bulk transfer to send a SCSI command 0x28 (READ_10) in a 31-byte
Bulk wrapper to a storage device at address 5:

dd65f0e8 4128379752 S Bo:1:005:2 -115 31 = 55534243 ad000000 00800000 80010a28 20000000 20000040 00000000 000000
dd65f0e8 4128379808 C Bo:1:005:2 0 31 > //指示這個bulk傳輸請求時成功的，而且實際也傳輸了31個byte的數據。

3 USB Sniffing with tcpdump

usbmon is a facility in kernel which is used to collect traces of I/O on the USB bus. usbmon collects raw text/binary which are not easily human-readable. Here, the idea is to use Wireshark as frontend to produces a human-readable representation of these data. However Wireshark does not support usbmon raw data as is, so we have to parse these data in the pcap format. tcpdump is a good candidate to capture USB data from usbmon and generate pcap traces

前提條件，是須要最新的tcpdump工具才行，有編譯好的，能夠直接download下來push到板子上就可使用。也有能夠本身手動來編譯的。這裏就不詳細來講了。

步驟：

mount -t debugfs none_debugs /sys/kernel/debug
cat /sys/kernel/debug/usb/devices 肯定usb的總線號
tcpdump -D

1.eth0
2.usbmon1 (USB bus number 1)
3.usbmon2 (USB bus number 2)
4.usbmon3 (USB bus number 3)
5.any (Pseudo-device that captures on all interfaces)
6.lo

有以上紅色部分輸出，說明你的tcpdump已經安裝下，能夠正常使用