Amazingly, sniffing USB traffic is dog easy under linux. It turns out that everything you need is already there!!
I didn't have to do the following mount and modprobe, but on some systems this might be needed:
mount -t debugfs none_debugs /sys/kernel/debug modprobe usbmonAfter this you have a choice of usb buses to examine:
ls /sys/kernel/debug/usb/usbmon/ cat /sys/kernel/debug/usb/usbmon/2uOn my system, when I look at "2u" I would see traffic on the cable I had connected to my atmega32u4 device. On "1u" I would see traffic generated by my mouse. This is because there are several independent USB buses and you have to choose which one you want to study.
The output directly from these kernel monitoring interfaces, while ascii text, are not convenient to study (to put it mildly).
usb.device_address == 33 and usb.data_len > 2I have this blog to thank for getting me started on this:
There are lots of packets going back and forth between the host and device 3.1 (device 3 on bus 1). The mouse sends a 69 byte packet about every .02 seconds. The host answers each of these packets with a 64 byte reponse.
The Transfer type is all URB_INTERRUPT to endpoint 0x81 with direction IN. There is actually only 5 bytes of payload in the packets from the mouse (hence the packet size of 64 + 5 = 69 bytes).
usb.device_address != 2
The first thing I see is a GET_DESCRIPTOR for DEVICE on endpoint 0x80 (IN). The device answers with an 82 byte packet (18 bytes payload) giving the vendor ID, product ID, and specifying an 8 byte max packet size - among other things.
Next we see a GET_DESCRIPTOR for CONFIGURATION on endpoint 0x80 (IN). The device answers with an 73 byte packet (9 bytes payload) which includes (among other things) the fact that it is internally powered and draws at most 50 mA.
Next we see another GET_DESCRIPTOR for CONFIGURATION on endpoint 0x80 (IN). The device answers with an 105 byte packet. Here we have interface and endpoint description. We find out that this is an HID device with two endpoints. The endpoints are 0x81 in and 0x02 out.
Next we get 3 strings (language, device name, and "manufacturer").
Now we get a SET_CONFIGURATION on endpoint 0x0 (OUT) followed by a SET_IDLE on endpoint 0x0 (OUT). followed by a GET_DESCRIPTOR for RPIPE.
Lastly there is a GET_REPORT request on endpoing 0x80 (IN), which gets an 72 byte response (8 bytes of payload), and the 8 bytes are the values I coded in the HID demo!
Now the device is idle, and just sits there. After 25 seconds there is a burst of activity with the host chatting with both the hub and my atmega32u4.
Tom's Computer Info / [email protected]