How can I monitor all USB traffic on OSX? I downloaded the USB monitoring extensions from the Apple Dev website and ran USB Prober. Nothing shows up when I start the monitoring, and there is data being sent to and from the USB device while monitoring.
I found 2 similar topics on this site, but neither gave an answer aside from using libusb. I was hoping I wouldn't have to write my own monitor from scratch using libusb. Seeing as the questions were asked in 2010, I'm hoping tools have been developed since then to accomplish this on OSX.
It's possible in high sierra (and maybe older versions), you'll need Wireshark's nightly build (I am using V2.5.0rc0). After you install it, you'll need to bring up the USB "interface":
sudo ifconfig XHC20 up
And after that you can use wireshark to sniff all the traffic in the XHC20 interface. When you finish, remember to turn the interface down:
sudo ifconfig XHC20 down
Source: aud-ios.
USB Prober doesn't log all USB traffic. It only logs USB/HID driver messages (diagnostic/info messages posted by USB/HID drivers).
I've never tried libusb for this but I suspect that it can't capture all USB traffic ether (but I could be wrong).
If you're at all serious about monitoring USB traffic you should consider a hardware USB Protocol Analyzer like the Beagle 12 from Total Phase: http://www.totalphase.com/products/beagle_usb12/
Or the USB Explorer 200 from Ellisys: http://www.ellisys.com/products/usbex200/index.php
You might be interested in contributing to this kickstarted project:
http://www.kickstarter.com/projects/bushing/openvizsla-open-source-usb-protocol-analyzer?ref=card
usbtracer is included in USB Prober.app:
https://developer.apple.com/library/mac/qa/qa1370/_index.html
no HTML anchors there, so search for
"Where do I find the usbtracer tool and how can I use it?"
i don't know if it shows all traffic or not, but at least in my case it shows something, and USB Prober shows nothing
Related
Does anyone out there who has developed on a dev board attached to a Mac OSX machine's USB port know how to send AT tty modem commands to the board? Arduino folks? Anyone?
TL;DR
I purchased a development STEVAL-SPBT2ATV2 "USB Dongle for the Bluetooth class 2 SPBT2532C2.AT module", which, according to the docs and spec has "downloaded FW, enabling the user to create a Bluetooth link with simple AT commands."
Which would be great, except all the documentation is only for old MS Windows, and doesn't give any hints on how to program this device from OSX or Linux.
Do I need to install a driver of some sort? Everything I've tried is like talking to a brick wall: I send commands, but nothing comes back from the board.
Things I've tried:
/dev/tty.Bluetooth-Modem already existed. Didn't seem to do anything. I think that's the built-in bluetooth device.
/dev/tty.AmpedUp-AMP-SPP and /dev/cu.AmpedUp-AMP-SPP showed up when I went to "Network -> set up bluetooth device" - which is good (correct device name) but strange, why under network?
Then under Bluetooth I can add a "serial port used to connect to this computer" and get the choice of Modem or RS-232. I guessed Modem.
I really hope I don't have to mess with the /etc/tty files
Nothing. the device never seems to react, or send any data back. I've tried several ways to send data to the device. Silence.
echo "AT+AB GPIOConfig 2 O^M" > /dev/cu.AmpedUp-AMP-SPP # ctrl-v ctrl-m for the ^M
screen /dev/tty.AmpedUp-AMP-SPP
cat /dev/tty.AmpedUp-AMP-SPP
minicom # via brew
chat /dev/cu.AmpedUp-AMP-SPP
From the docs:
Each dongle has the following factory default:
UART: 115200 baud, no parity,1 stop bit,8 data bits
Local name: “Amp'ed UP!’
Class of device: Misc Device
Profile: SPP (serial port profile)
Service name: “AMP-SPP”
Deep sleep: disabled
Page and inquiry scan: 1.28s interval, 11 ms duration
Security: disabled
Bonding PIN: “1234”
Bonding allowed: always enabled
I figured out where I was wayyy off-base with some help from a friend.
I thought that I was trying to establish a OSX->Terminal->Serial (Over USB)->Chip communication channel to program the chip.
When in reality, I was trying to establish a OSX->Terminal->Serial (over Bluetooth->Bluetooth) -> Chip channel to talk to the chip using the existing firmware, which includes enough defaults to have 4 GPIO/LED outputs. The USB only comes in later if I want to change the firmware.
Which means plugging the board into my laptop's USB port isn't necessary and only complicates the issue - better is plugging it into a spare USB charger next to my laptop.
... Which let me narrow down the problem to 2 things:
OSX isn't holding an open bluetooth communication channel to the BT device, so of course I won't be able to talk to it, even if the serial port is set up right
Even if I could talk to it, Apple iOS is so locked down that I won't be able to connect to it from an iPhone/iPad. :(
I have an Arduino application talking over USB to an application on Windows 8 using the MAVLINK protocol. The connection appears as COM3.
Is there a Windows application that can spy on this connection and display the traffic going in both directions? Raw bytes are fine, I don't need the protocol decoded.
You could log serial port activity using Portmon. (Edit: You need to first connect to the local computer via the Computer menu, and you must start capture on the port before a program opens it.)
You may not want to log USB traffic. Such a log would include a lot of extra information relating to the USB to serial adapter which is providing COM3. Portmon would only give you the bytes transferred over COM3, and the Mavlink protocol is entirely contained within that data stream. If you're sure you want to log all USB traffic to and from that device, then I recommend SnoopyPro. In Windows 7, you need to run it as administrator.
If you can use Windows XP in your environment, USB sniff should work for you. If you need something more powerful (and are willing to pay a fee for it) then USBLyzer might be a viable option.
The answer is SnoopyPro, and you can download it at:
SnoopyPro Sourceforge
This tool allows you to get USB information and also USB communication data. I used it in the past to know how a USB device worked in order to do its driver on Linux. I used this tool as a sniffer.
Basically, SnoopyPro allows you to intercept, display, record and analyze the USB protocol and all transferred data between any USB device connected to your PC and applications. It can be successfully used in application development, USB device driver or hardware development and offers the powerful platform for effective coding, testing and optimization.
I'd like to modify a USB driver to send and receive USB data over a network.
Take for example, an iMac and a PC. I have an iPod plugged in to my PC (in NY). I want my iMac (in LA) to recognize the iPod as plugged in to a local USB port and be able to communicate with the iPod.
Forget my qualifications, or lack thereof (I have background in web, iOS apps, I've toyed with Java and C).
Where can I get source code for a USB driver for Windows that I can modify? Mac OS?
Any tips or pointers towards accomplishing my goal would be appreciated as well.
It looks like folks are coming up with something close to what you want. If you do decide to roll your own, the USB driver source you asked for is libusb.
On the Mac OS X end, drivers are built up in a stack. What you want to do should be relatively simple (nothing is really simple in kernel land). You need to create a driver that can communicate over ethernet with the PC and looks like a USB device to the driver matching software. Then everything else will happen automatically.
The source code is available for Apple's USB stack. You should also read about the IOKit API and IOKit device driver guidelines and IOKit fundamentals.
Oh yes and you say you have toyed with Java and C. To write device drivers on OS X, you'll need to learn some C++.
I suggest you to go see USBIP project. This is available on Linux and Windows, but not clear for MAC. If you can get a VHCI-Controller driver installed for MAC, we can kick start USBIP for MAC.
Sounds quite like this product, a bit unsure if theirs works over wide-area networks though.
I have a general idea of how I'd go about it, but not any specifics. Basically, I'd use the platform's driver development kit to write a USB device emulator on the client machine. I'd then add a virtual device to that system called "Networked USB Host", or something similar that maintains an open port to listen for communication from the server and passes it on to your virtual USB device. IIRC, the Windows DDK comes with a USB simulation framework that might be able to help you with this.
On the server, you'd have to hook into the USB subsystem to send raw USB packets to the client machine. libpcap and wireshark have USB capturing facilities for that, but I'm not sure if this works with winpcap and the Windows version of wireshark as well.
EDIT: Look at this for cross-platform USB capture alternatives.
You can buy OSR USB learning kit: https://www.osronline.com/custom.cfm?name=index_fullframeset.cfm&pageURL=https://www.osronline.com/store/index.cfm
This is actually small USB device with known interface. Windows Driver Kit (WDK) contains sample KMDF driver for this device: http://www.microsoft.com/whdc/driver/wdk/
This is good starting point to learn Windows Drivers development, and USB drivers development specifically. However, it is still far away from your problem solution.
Can't you use some sort of Remote Desktop?
From time to time, I need to dump USB traffic under Windows, mostly to support hardware under Linux, so my primary goal is to produce dump files for protocol analysis.
For USB traffic, it seems that SniffUsb is the clear winner... It works under Windows XP (but not later) and has a much nicer GUI than earlier versions. It produces huge dump files, but everything is there.
However, my device is in fact a USB serial device, so I turned to Portmon which can sniff serial port traffic without the USB overhead.
After five years waiting, now it's possible to sniff usb packets on windows
See http://desowin.org/usbpcap/tour.html for a quick tour. It works pretty well
Since people don't seem to realize it, Wireshark does monitor USB traffic and has a parser for it; but the catch is it only works under Linux. Wireshark on Windows will not do this.
It may be possible to plug the USB device you want to monitor, along with a Linux machine (with Wireshark running) and your Windows machine and just use the USB device under Windows.
Problem with the above? I don't know how the Linux machine or the Windows machine will detect each other.
Busdog, an open source project hosted on github, has worked well for me. It has a driver it installs to allow it to monitor USB communications. The config window allows you to reinstall or remove the device at any time.
You can select the USB device you want from an enumerated list. A nice feature is to have it automatically trace a new device that is plugged in:
Data communications to and from an SWR analyzer I was reverse engineering were captured flawlessly:
USBSnoop works too - and is free.
Or, you could buy a USB to Ethernet converter and use whatever network sniffer you prefer to see the data.
Personally, I'd use QEMU or KVM and instrument their USB passthrough code, and then use libusb to prototype the replacement driver in user space (this latter bit I've done before; writing USB device drivers in Python is fun!).
Microsoft Message Analyzer was able to capture USB traffic, with Device and Log File parser from MS: link
Update: as mentioned by #facetus, MS Message Analyzer has been retired on November 25 2019.
With OSX 10.5. it's no longer possible to spoof MAC addresses of your wired interface (e.g. en0) with "ifconfig en0 laddr/ether XX:YY:...."
a/ why is that?
b/ how is it notwithstanding done by e.g. VMware "vmnet-xxx" deamons?
c/ does anyone know wether the Apple Developer package contains detailed and useful information regarding the mach kernel device interfaces? e.g. device driver example code, and the like?
Thank you very much
Grusz
A: This may be a change for security reasons in the work place (this is just pure speculation, and may or may not be true), as it seems to be a driver issue (this was possible in Tiger, I know from experience). It is still possible to this on the wireless interface en1. Even if the physical interface did not support it, the device could be put into "monitor" mode and have the MAC address matching take place higher up in the IP chain. We shall have to wait and see what Apple does about this.
B: Those daemons put your wired network into "monitor" mode, basically what this does is tell your network card that you want everything that is being sent to you to be handled by the OS, so it turns off filtering that is done on the network card (if it supports it) which would normally discard things that were not destined for itself (its MAC address), and then it does it all in software, using the standard filtering hooks provided by the OS it can listen to any incoming packets and grab those off the wire that are destined to the fake MAC address that VMWare has set.
Explained in laymen terms: Lets say you are sitting at an airport and are waiting for an announcement that you can board your plane, you passively listen but ignore everything that does not contain your flight number. Now someone else comes along and asks you to also listen for their flight number, now you have to actively listen since you can't just filter on one flight number.
C: Yes, amongst other things you will find code examples and reference manuals. They are also all available online and you may find the code for most device drivers online as well if they were developed by Apple. The documentation is fairly good however I have noticed that in certain areas it has been lacking and made it fairly difficult for me to figure out what I needed to do to get something done. Developer.apple.com's Conceptual Network Device Driver. The source code for Darwin is also available at http://www.opensource.apple.com/darwinsource/, there you can find most device drivers for Mac OS X as long as Apple is allowed to release them as Open Source (Yukon2 driver is not included)
what worked for me was this, boot into a linux distro, change mac address there so that you have a working internet connection, reboot into mac os x(tried with 10.5.5), the mac stays spoofed from linux - with my pc, it worked even over system restarts/shutdowns
to be more specific, i tried this with ubuntu 8.04(i believe), to change mac address there:
sudo ifconfig eth0 down
sudo ifconfig eth0 hw ether 000102020405
sudo ifconfig eth0 up
of course you need to replace the 000102020405 with the real MAC you want to use, beware, with other distros, even different versions of ubuntu, the MAC spoofing procedure might differ slightly(you need to restart the connection etc..) - the magic of this trick is in the fact it actually might work off a live distro, so you don't need to install anything, but i never tried this
good luck
I have the MacBookPro Retina late 2013 running OSX 10.9 and I can do it!
The first thing I tried is what has previously worked for me on linux:
sudo -s
ifconfig en0 down
ifconfig en0 lladdr aa:bb:cc:dd:ee:ff
ifconfig en0 up
However, this on my machine results in an ioctl error (power is off)
So after much experimentation I figured that you must change the mac address while the interface is up, but while it is not being used by the Airport utility. This is easier said than done!
I put these commands together and fiddled the delays until my mac changed successfully - this is what worked for me:
ifconfig en0 down; sleep 0.5; ifconfig en0 up; sleep 2;\
ifconfig en0 lladdr aa:bb:cc:dd:ee:ff; ifconfig en0
You may have to change your delays so you catch it before Airport kicks in. Hope this helps!
Edit: You may have success by booting linux as "nofu" said, but it's a hassle to set up dual boot on the MacBookPro, so let me know if this "sleep method" works for you, the delay and for what version of OSX.