Monitoring USB communications using usbmon interface

With the help of usbmon we have a cost-effective solution to monitor USB communications between the kernel and a hardware device. It is an alternative to hardware USB protocol analyzers for those on a budget or having to do it once.

Loading of usbmon kernel module

The first step is to load the related kernel module. This can be done using the modprobe command.

$ sudo modprobe usbmon

Validate if the usbmon kernel module is loaded using the lsmod command.

$ sudo lsmod | grep usbmon
usbmon                 45056  0

If everything looks good, there should be a line visible of our loaded module.

Confirm USB device identification

Next step is to look if the hardware device is listed correctly. The output of the lsusb command will show all connected USB devices to the system. For example, a snipped output could look like this:

$ lsusb
Bus 003 Device 009: ID 0fd9:0084 Elgato Systems GmbH Stream Deck Plus
<output snipped>

In this case, we are interested on device 009 on bus 003. The bus defines our interface name, in this case 3. The interface is named usbmon followed by the bus number, so usbmon3. This is needed for the next step.

Capture traffic

With the bus number we could discover the interface. In this case, usbmon3. This is something that we can monitor using TShark or Wireshark if you prefer the graphical user interface.

tshark -i usbmon3

Next thing to do is monitor the traffic on the bus and see what is related to the device. If you are unsure about the identifiers, have a look at the output of lsusb -t -v.

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!