Monitoring USB communications using usbmon interface
This article has last been updated at .
With the help of usbmon we have a cost-effective solution to monitor USB communications between the kernel and a hardware device. It is an alternative to hardware USB protocol analyzers for those on a budget or having to do it once.
Loading of usbmon kernel module
The first step is to load the related kernel module. This can be done using the modprobe command.
$ sudo modprobe usbmon
Validate if the usbmon kernel module is loaded using the lsmod command.
$ sudo lsmod | grep usbmon
usbmon 45056 0
If everything looks good, there should be a line visible of our loaded module.
Confirm USB device identification
Next step is to look if the hardware device is listed correctly. The output of the lsusb command will show all connected USB devices to the system. For example, a snipped output could look like this:
$ lsusb
Bus 003 Device 009: ID 0fd9:0084 Elgato Systems GmbH Stream Deck Plus
<output snipped>
In this case, we are interested on device 009 on bus 003. The bus defines our interface name, in this case 3. The interface is named usbmon followed by the bus number, so usbmon3. This is needed for the next step.
Capture traffic
With the bus number we could discover the interface. In this case, usbmon3. This is something that we can monitor using TShark or Wireshark if you prefer the graphical user interface.
tshark -i usbmon3
Next thing to do is monitor the traffic on the bus and see what is related to the device. If you are unsure about the identifiers, have a look at the output of lsusb -t -v
.