scapy icon indicating copy to clipboard operation
scapy copied to clipboard
verified publisher icon secdev

Add support for USB Linux packets (usbmon)

Open gsingh93 opened this issue 1 year ago • 5 comments

This PR adds support for packets captured with usbmon on Linux. The usbmon docs are here, although they're inaccurate in a few cases: https://docs.kernel.org/usb/usbmon.html. I mainly relied on the Wireshark implementation here: https://github.com/wireshark/wireshark/blob/master/epan/dissectors/packet-usb.c

DLT_USB_LINUX is the 48 byte header of usbmon, while DLT_USB_LINUX_MMAPPED is the 64 byte header. AFAIK, all captures on modern systems use the 64 byte header, but I'm not sure if this is correct. In any case, I can only really test with the 64 byte header on real PCAPs, and I only added the DLT_USB_LINUX support because it seemed easy enough to do.

gsingh93 avatar Jun 09 '24 01:06 gsingh93

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 81.43%. Comparing base (aff2b98) to head (f8e74c7).

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #4417      +/-   ##
==========================================
- Coverage   81.56%   81.43%   -0.14%     
==========================================
  Files         352      352              
  Lines       84032    84052      +20     
==========================================
- Hits        68544    68451      -93     
- Misses      15488    15601     +113
Files Coverage Δ
scapy/data.py 90.27% <100.00%> (+0.02%) :arrow_up:
scapy/layers/usb.py 95.08% <100.00%> (+2.22%) :arrow_up:

... and 6 files with indirect coverage changes

codecov[bot] avatar Jun 09 '24 01:06 codecov[bot]

It seems that you need to keep track of the last request to figure out the type of the response you're dissecting. What's a good way to do something like this in scapy?

You could implement a USBSession or similar, that extends DefaultSession from scapy.sessions. We already have a few sessions class in the code, that might inspire you.

gpotter2 avatar Jun 09 '24 07:06 gpotter2

You could implement a USBSession or similar, that extends DefaultSession from scapy.sessions. We already have a few sessions class in the code, that might inspire you.

Thanks @gpotter2. I looked into this, but it seems like sessions are mainly for sniffing. How can I use a session with rdpcap or a PacketList?

gsingh93 avatar Jul 03 '24 03:07 gsingh93

@gpotter2 ping on that last question. Is there an example I can use for PCAPs specifically?

gsingh93 avatar Sep 22 '24 17:09 gsingh93

You can use sniff() with the offline parameter

gpotter2 avatar Sep 22 '24 18:09 gpotter2