About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Documentation / usb / usbmon.txt

Based on kernel version 2.6.26. Page generated on 2008-07-16 21:13 EST.

1	* Introduction
2	
3	The name "usbmon" in lowercase refers to a facility in kernel which is
4	used to collect traces of I/O on the USB bus. This function is analogous
5	to a packet socket used by network monitoring tools such as tcpdump(1)
6	or Ethereal. Similarly, it is expected that a tool such as usbdump or
7	USBMon (with uppercase letters) is used to examine raw traces produced
8	by usbmon.
9	
10	The usbmon reports requests made by peripheral-specific drivers to Host
11	Controller Drivers (HCD). So, if HCD is buggy, the traces reported by
12	usbmon may not correspond to bus transactions precisely. This is the same
13	situation as with tcpdump.
14	
15	* How to use usbmon to collect raw text traces
16	
17	Unlike the packet socket, usbmon has an interface which provides traces
18	in a text format. This is used for two purposes. First, it serves as a
19	common trace exchange format for tools while more sophisticated formats
20	are finalized. Second, humans can read it in case tools are not available.
21	
22	To collect a raw text trace, execute following steps.
23	
24	1. Prepare
25	
26	Mount debugfs (it has to be enabled in your kernel configuration), and
27	load the usbmon module (if built as module). The second step is skipped
28	if usbmon is built into the kernel.
29	
30	# mount -t debugfs none_debugs /sys/kernel/debug
31	# modprobe usbmon
32	#
33	
34	Verify that bus sockets are present.
35	
36	# ls /sys/kernel/debug/usbmon
37	0s  0t  0u  1s  1t  1u  2s  2t  2u  3s  3t  3u  4s  4t  4u
38	#
39	
40	Now you can choose to either use the sockets numbered '0' (to capture packets on
41	all buses), and skip to step #3, or find the bus used by your device with step #2.
42	
43	2. Find which bus connects to the desired device
44	
45	Run "cat /proc/bus/usb/devices", and find the T-line which corresponds to
46	the device. Usually you do it by looking for the vendor string. If you have
47	many similar devices, unplug one and compare two /proc/bus/usb/devices outputs.
48	The T-line will have a bus number. Example:
49	
50	T:  Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12  MxCh= 0
51	D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
52	P:  Vendor=0557 ProdID=2004 Rev= 1.00
53	S:  Manufacturer=ATEN
54	S:  Product=UC100KM V2.00
55	
56	Bus=03 means it's bus 3.
57	
58	3. Start 'cat'
59	
60	# cat /sys/kernel/debug/usbmon/3u > /tmp/1.mon.out
61	
62	to listen on a single bus, otherwise, to listen on all buses, type:
63	
64	# cat /sys/kernel/debug/usbmon/0u > /tmp/1.mon.out
65	
66	This process will be reading until killed. Naturally, the output can be
67	redirected to a desirable location. This is preferred, because it is going
68	to be quite long.
69	
70	4. Perform the desired operation on the USB bus
71	
72	This is where you do something that creates the traffic: plug in a flash key,
73	copy files, control a webcam, etc.
74	
75	5. Kill cat
76	
77	Usually it's done with a keyboard interrupt (Control-C).
78	
79	At this point the output file (/tmp/1.mon.out in this example) can be saved,
80	sent by e-mail, or inspected with a text editor. In the last case make sure
81	that the file size is not excessive for your favourite editor.
82	
83	* Raw text data format
84	
85	Two formats are supported currently: the original, or '1t' format, and
86	the '1u' format. The '1t' format is deprecated in kernel 2.6.21. The '1u'
87	format adds a few fields, such as ISO frame descriptors, interval, etc.
88	It produces slightly longer lines, but otherwise is a perfect superset
89	of '1t' format.
90	
91	If it is desired to recognize one from the other in a program, look at the
92	"address" word (see below), where '1u' format adds a bus number. If 2 colons
93	are present, it's the '1t' format, otherwise '1u'.
94	
95	Any text format data consists of a stream of events, such as URB submission,
96	URB callback, submission error. Every event is a text line, which consists
97	of whitespace separated words. The number or position of words may depend
98	on the event type, but there is a set of words, common for all types.
99	
100	Here is the list of words, from left to right:
101	
102	- URB Tag. This is used to identify URBs is normally a kernel mode address
103	 of the URB structure in hexadecimal.
104	
105	- Timestamp in microseconds, a decimal number. The timestamp's resolution
106	  depends on available clock, and so it can be much worse than a microsecond
107	  (if the implementation uses jiffies, for example).
108	
109	- Event Type. This type refers to the format of the event, not URB type.
110	  Available types are: S - submission, C - callback, E - submission error.
111	
112	- "Address" word (formerly a "pipe"). It consists of four fields, separated by
113	  colons: URB type and direction, Bus number, Device address, Endpoint number.
114	  Type and direction are encoded with two bytes in the following manner:
115	    Ci Co   Control input and output
116	    Zi Zo   Isochronous input and output
117	    Ii Io   Interrupt input and output
118	    Bi Bo   Bulk input and output
119	  Bus number, Device address, and Endpoint are decimal numbers, but they may
120	  have leading zeros, for the sake of human readers.
121	
122	- URB Status word. This is either a letter, or several numbers separated
123	  by colons: URB status, interval, start frame, and error count. Unlike the
124	  "address" word, all fields save the status are optional. Interval is printed
125	  only for interrupt and isochronous URBs. Start frame is printed only for
126	  isochronous URBs. Error count is printed only for isochronous callback
127	  events.
128	
129	  The status field is a decimal number, sometimes negative, which represents
130	  a "status" field of the URB. This field makes no sense for submissions, but
131	  is present anyway to help scripts with parsing. When an error occurs, the
132	  field contains the error code.
133	
134	  In case of a submission of a Control packet, this field contains a Setup Tag
135	  instead of an group of numbers. It is easy to tell whether the Setup Tag is
136	  present because it is never a number. Thus if scripts find a set of numbers
137	  in this word, they proceed to read Data Length (except for isochronous URBs).
138	  If they find something else, like a letter, they read the setup packet before
139	  reading the Data Length or isochronous descriptors.
140	
141	- Setup packet, if present, consists of 5 words: one of each for bmRequestType,
142	  bRequest, wValue, wIndex, wLength, as specified by the USB Specification 2.0.
143	  These words are safe to decode if Setup Tag was 's'. Otherwise, the setup
144	  packet was present, but not captured, and the fields contain filler.
145	
146	- Number of isochronous frame descriptors and descriptors themselves.
147	  If an Isochronous transfer event has a set of descriptors, a total number
148	  of them in an URB is printed first, then a word per descriptor, up to a
149	  total of 5. The word consists of 3 colon-separated decimal numbers for
150	  status, offset, and length respectively. For submissions, initial length
151	  is reported. For callbacks, actual length is reported.
152	
153	- Data Length. For submissions, this is the requested length. For callbacks,
154	  this is the actual length.
155	
156	- Data tag. The usbmon may not always capture data, even if length is nonzero.
157	  The data words are present only if this tag is '='.
158	
159	- Data words follow, in big endian hexadecimal format. Notice that they are
160	  not machine words, but really just a byte stream split into words to make
161	  it easier to read. Thus, the last word may contain from one to four bytes.
162	  The length of collected data is limited and can be less than the data length
163	  report in Data Length word.
164	
165	Here is an example of code to read the data stream in a well known programming
166	language:
167	
168	class ParsedLine {
169		int data_len;		/* Available length of data */
170		byte data[];
171	
172		void parseData(StringTokenizer st) {
173			int availwords = st.countTokens();
174			data = new byte[availwords * 4];
175			data_len = 0;
176			while (st.hasMoreTokens()) {
177				String data_str = st.nextToken();
178				int len = data_str.length() / 2;
179				int i;
180				int b;	// byte is signed, apparently?! XXX
181				for (i = 0; i < len; i++) {
182					// data[data_len] = Byte.parseByte(
183					//     data_str.substring(i*2, i*2 + 2),
184					//     16);
185					b = Integer.parseInt(
186					     data_str.substring(i*2, i*2 + 2),
187					     16);
188					if (b >= 128)
189						b *= -1;
190					data[data_len] = (byte) b;
191					data_len++;
192				}
193			}
194		}
195	}
196	
197	Examples:
198	
199	An input control transfer to get a port status.
200	
201	d5ea89a0 3575914555 S Ci:1:001:0 s a3 00 0000 0003 0004 4 <
202	d5ea89a0 3575914560 C Ci:1:001:0 0 4 = 01050000
203	
204	An output bulk transfer to send a SCSI command 0x5E in a 31-byte Bulk wrapper
205	to a storage device at address 5:
206	
207	dd65f0e8 4128379752 S Bo:1:005:2 -115 31 = 55534243 5e000000 00000000 00000600 00000000 00000000 00000000 000000
208	dd65f0e8 4128379808 C Bo:1:005:2 0 31 >
209	
210	* Raw binary format and API
211	
212	The overall architecture of the API is about the same as the one above,
213	only the events are delivered in binary format. Each event is sent in
214	the following structure (its name is made up, so that we can refer to it):
215	
216	struct usbmon_packet {
217		u64 id;			/*  0: URB ID - from submission to callback */
218		unsigned char type;	/*  8: Same as text; extensible. */
219		unsigned char xfer_type; /*    ISO (0), Intr, Control, Bulk (3) */
220		unsigned char epnum;	/*     Endpoint number and transfer direction */
221		unsigned char devnum;	/*     Device address */
222		u16 busnum;		/* 12: Bus number */
223		char flag_setup;	/* 14: Same as text */
224		char flag_data;		/* 15: Same as text; Binary zero is OK. */
225		s64 ts_sec;		/* 16: gettimeofday */
226		s32 ts_usec;		/* 24: gettimeofday */
227		int status;		/* 28: */
228		unsigned int length;	/* 32: Length of data (submitted or actual) */
229		unsigned int len_cap;	/* 36: Delivered length */
230		unsigned char setup[8];	/* 40: Only for Control 'S' */
231	};				/* 48 bytes total */
232	
233	These events can be received from a character device by reading with read(2),
234	with an ioctl(2), or by accessing the buffer with mmap.
235	
236	The character device is usually called /dev/usbmonN, where N is the USB bus
237	number. Number zero (/dev/usbmon0) is special and means "all buses".
238	However, this feature is not implemented yet. Note that specific naming
239	policy is set by your Linux distribution.
240	
241	If you create /dev/usbmon0 by hand, make sure that it is owned by root
242	and has mode 0600. Otherwise, unpriviledged users will be able to snoop
243	keyboard traffic.
244	
245	The following ioctl calls are available, with MON_IOC_MAGIC 0x92:
246	
247	 MON_IOCQ_URB_LEN, defined as _IO(MON_IOC_MAGIC, 1)
248	
249	This call returns the length of data in the next event. Note that majority of
250	events contain no data, so if this call returns zero, it does not mean that
251	no events are available.
252	
253	 MON_IOCG_STATS, defined as _IOR(MON_IOC_MAGIC, 3, struct mon_bin_stats)
254	
255	The argument is a pointer to the following structure:
256	
257	struct mon_bin_stats {
258		u32 queued;
259		u32 dropped;
260	};
261	
262	The member "queued" refers to the number of events currently queued in the
263	buffer (and not to the number of events processed since the last reset).
264	
265	The member "dropped" is the number of events lost since the last call
266	to MON_IOCG_STATS.
267	
268	 MON_IOCT_RING_SIZE, defined as _IO(MON_IOC_MAGIC, 4)
269	
270	This call sets the buffer size. The argument is the size in bytes.
271	The size may be rounded down to the next chunk (or page). If the requested
272	size is out of [unspecified] bounds for this kernel, the call fails with
273	-EINVAL.
274	
275	 MON_IOCQ_RING_SIZE, defined as _IO(MON_IOC_MAGIC, 5)
276	
277	This call returns the current size of the buffer in bytes.
278	
279	 MON_IOCX_GET, defined as _IOW(MON_IOC_MAGIC, 6, struct mon_get_arg)
280	
281	This call waits for events to arrive if none were in the kernel buffer,
282	then returns the first event. Its argument is a pointer to the following
283	structure:
284	
285	struct mon_get_arg {
286		struct usbmon_packet *hdr;
287		void *data;
288		size_t alloc;		/* Length of data (can be zero) */
289	};
290	
291	Before the call, hdr, data, and alloc should be filled. Upon return, the area
292	pointed by hdr contains the next event structure, and the data buffer contains
293	the data, if any. The event is removed from the kernel buffer.
294	
295	 MON_IOCX_MFETCH, defined as _IOWR(MON_IOC_MAGIC, 7, struct mon_mfetch_arg)
296	
297	This ioctl is primarily used when the application accesses the buffer
298	with mmap(2). Its argument is a pointer to the following structure:
299	
300	struct mon_mfetch_arg {
301		uint32_t *offvec;	/* Vector of events fetched */
302		uint32_t nfetch;	/* Number of events to fetch (out: fetched) */
303		uint32_t nflush;	/* Number of events to flush */
304	};
305	
306	The ioctl operates in 3 stages.
307	
308	First, it removes and discards up to nflush events from the kernel buffer.
309	The actual number of events discarded is returned in nflush.
310	
311	Second, it waits for an event to be present in the buffer, unless the pseudo-
312	device is open with O_NONBLOCK.
313	
314	Third, it extracts up to nfetch offsets into the mmap buffer, and stores
315	them into the offvec. The actual number of event offsets is stored into
316	the nfetch.
317	
318	 MON_IOCH_MFLUSH, defined as _IO(MON_IOC_MAGIC, 8)
319	
320	This call removes a number of events from the kernel buffer. Its argument
321	is the number of events to remove. If the buffer contains fewer events
322	than requested, all events present are removed, and no error is reported.
323	This works when no events are available too.
324	
325	 FIONBIO
326	
327	The ioctl FIONBIO may be implemented in the future, if there's a need.
328	
329	In addition to ioctl(2) and read(2), the special file of binary API can
330	be polled with select(2) and poll(2). But lseek(2) does not work.
331	
332	* Memory-mapped access of the kernel buffer for the binary API
333	
334	The basic idea is simple:
335	
336	To prepare, map the buffer by getting the current size, then using mmap(2).
337	Then, execute a loop similar to the one written in pseudo-code below:
338	
339	   struct mon_mfetch_arg fetch;
340	   struct usbmon_packet *hdr;
341	   int nflush = 0;
342	   for (;;) {
343	      fetch.offvec = vec; // Has N 32-bit words
344	      fetch.nfetch = N;   // Or less than N
345	      fetch.nflush = nflush;
346	      ioctl(fd, MON_IOCX_MFETCH, &fetch);   // Process errors, too
347	      nflush = fetch.nfetch;       // This many packets to flush when done
348	      for (i = 0; i < nflush; i++) {
349	         hdr = (struct ubsmon_packet *) &mmap_area[vec[i]];
350	         if (hdr->type == '@')     // Filler packet
351	            continue;
352	         caddr_t data = &mmap_area[vec[i]] + 64;
353	         process_packet(hdr, data);
354	      }
355	   }
356	
357	Thus, the main idea is to execute only one ioctl per N events.
358	
359	Although the buffer is circular, the returned headers and data do not cross
360	the end of the buffer, so the above pseudo-code does not need any gathering.
Hide Line Numbers
About Kernel Documentation Linux Kernel Contact Linux Resources Linux Blog

Information is copyright its respective author. All material is available from the Linux Kernel Source distributed under a GPL License. This page is provided as a free service by mjmwired.net.