Based on kernel version 2.6.26. Page generated on 2008-07-16 21:13 EST.
1 * Introduction 2 3 The name "usbmon" in lowercase refers to a facility in kernel which is 4 used to collect traces of I/O on the USB bus. This function is analogous 5 to a packet socket used by network monitoring tools such as tcpdump(1) 6 or Ethereal. Similarly, it is expected that a tool such as usbdump or 7 USBMon (with uppercase letters) is used to examine raw traces produced 8 by usbmon. 9 10 The usbmon reports requests made by peripheral-specific drivers to Host 11 Controller Drivers (HCD). So, if HCD is buggy, the traces reported by 12 usbmon may not correspond to bus transactions precisely. This is the same 13 situation as with tcpdump. 14 15 * How to use usbmon to collect raw text traces 16 17 Unlike the packet socket, usbmon has an interface which provides traces 18 in a text format. This is used for two purposes. First, it serves as a 19 common trace exchange format for tools while more sophisticated formats 20 are finalized. Second, humans can read it in case tools are not available. 21 22 To collect a raw text trace, execute following steps. 23 24 1. Prepare 25 26 Mount debugfs (it has to be enabled in your kernel configuration), and 27 load the usbmon module (if built as module). The second step is skipped 28 if usbmon is built into the kernel. 29 30 # mount -t debugfs none_debugs /sys/kernel/debug 31 # modprobe usbmon 32 # 33 34 Verify that bus sockets are present. 35 36 # ls /sys/kernel/debug/usbmon 37 0s 0t 0u 1s 1t 1u 2s 2t 2u 3s 3t 3u 4s 4t 4u 38 # 39 40 Now you can choose to either use the sockets numbered '0' (to capture packets on 41 all buses), and skip to step #3, or find the bus used by your device with step #2. 42 43 2. Find which bus connects to the desired device 44 45 Run "cat /proc/bus/usb/devices", and find the T-line which corresponds to 46 the device. Usually you do it by looking for the vendor string. If you have 47 many similar devices, unplug one and compare two /proc/bus/usb/devices outputs. 48 The T-line will have a bus number. Example: 49 50 T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 51 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 52 P: Vendor=0557 ProdID=2004 Rev= 1.00 53 S: Manufacturer=ATEN 54 S: Product=UC100KM V2.00 55 56 Bus=03 means it's bus 3. 57 58 3. Start 'cat' 59 60 # cat /sys/kernel/debug/usbmon/3u > /tmp/1.mon.out 61 62 to listen on a single bus, otherwise, to listen on all buses, type: 63 64 # cat /sys/kernel/debug/usbmon/0u > /tmp/1.mon.out 65 66 This process will be reading until killed. Naturally, the output can be 67 redirected to a desirable location. This is preferred, because it is going 68 to be quite long. 69 70 4. Perform the desired operation on the USB bus 71 72 This is where you do something that creates the traffic: plug in a flash key, 73 copy files, control a webcam, etc. 74 75 5. Kill cat 76 77 Usually it's done with a keyboard interrupt (Control-C). 78 79 At this point the output file (/tmp/1.mon.out in this example) can be saved, 80 sent by e-mail, or inspected with a text editor. In the last case make sure 81 that the file size is not excessive for your favourite editor. 82 83 * Raw text data format 84 85 Two formats are supported currently: the original, or '1t' format, and 86 the '1u' format. The '1t' format is deprecated in kernel 2.6.21. The '1u' 87 format adds a few fields, such as ISO frame descriptors, interval, etc. 88 It produces slightly longer lines, but otherwise is a perfect superset 89 of '1t' format. 90 91 If it is desired to recognize one from the other in a program, look at the 92 "address" word (see below), where '1u' format adds a bus number. If 2 colons 93 are present, it's the '1t' format, otherwise '1u'. 94 95 Any text format data consists of a stream of events, such as URB submission, 96 URB callback, submission error. Every event is a text line, which consists 97 of whitespace separated words. The number or position of words may depend 98 on the event type, but there is a set of words, common for all types. 99 100 Here is the list of words, from left to right: 101 102 - URB Tag. This is used to identify URBs is normally a kernel mode address 103 of the URB structure in hexadecimal. 104 105 - Timestamp in microseconds, a decimal number. The timestamp's resolution 106 depends on available clock, and so it can be much worse than a microsecond 107 (if the implementation uses jiffies, for example). 108 109 - Event Type. This type refers to the format of the event, not URB type. 110 Available types are: S - submission, C - callback, E - submission error. 111 112 - "Address" word (formerly a "pipe"). It consists of four fields, separated by 113 colons: URB type and direction, Bus number, Device address, Endpoint number. 114 Type and direction are encoded with two bytes in the following manner: 115 Ci Co Control input and output 116 Zi Zo Isochronous input and output 117 Ii Io Interrupt input and output 118 Bi Bo Bulk input and output 119 Bus number, Device address, and Endpoint are decimal numbers, but they may 120 have leading zeros, for the sake of human readers. 121 122 - URB Status word. This is either a letter, or several numbers separated 123 by colons: URB status, interval, start frame, and error count. Unlike the 124 "address" word, all fields save the status are optional. Interval is printed 125 only for interrupt and isochronous URBs. Start frame is printed only for 126 isochronous URBs. Error count is printed only for isochronous callback 127 events. 128 129 The status field is a decimal number, sometimes negative, which represents 130 a "status" field of the URB. This field makes no sense for submissions, but 131 is present anyway to help scripts with parsing. When an error occurs, the 132 field contains the error code. 133 134 In case of a submission of a Control packet, this field contains a Setup Tag 135 instead of an group of numbers. It is easy to tell whether the Setup Tag is 136 present because it is never a number. Thus if scripts find a set of numbers 137 in this word, they proceed to read Data Length (except for isochronous URBs). 138 If they find something else, like a letter, they read the setup packet before 139 reading the Data Length or isochronous descriptors. 140 141 - Setup packet, if present, consists of 5 words: one of each for bmRequestType, 142 bRequest, wValue, wIndex, wLength, as specified by the USB Specification 2.0. 143 These words are safe to decode if Setup Tag was 's'. Otherwise, the setup 144 packet was present, but not captured, and the fields contain filler. 145 146 - Number of isochronous frame descriptors and descriptors themselves. 147 If an Isochronous transfer event has a set of descriptors, a total number 148 of them in an URB is printed first, then a word per descriptor, up to a 149 total of 5. The word consists of 3 colon-separated decimal numbers for 150 status, offset, and length respectively. For submissions, initial length 151 is reported. For callbacks, actual length is reported. 152 153 - Data Length. For submissions, this is the requested length. For callbacks, 154 this is the actual length. 155 156 - Data tag. The usbmon may not always capture data, even if length is nonzero. 157 The data words are present only if this tag is '='. 158 159 - Data words follow, in big endian hexadecimal format. Notice that they are 160 not machine words, but really just a byte stream split into words to make 161 it easier to read. Thus, the last word may contain from one to four bytes. 162 The length of collected data is limited and can be less than the data length 163 report in Data Length word. 164 165 Here is an example of code to read the data stream in a well known programming 166 language: 167 168 class ParsedLine { 169 int data_len; /* Available length of data */ 170 byte data[]; 171 172 void parseData(StringTokenizer st) { 173 int availwords = st.countTokens(); 174 data = new byte[availwords * 4]; 175 data_len = 0; 176 while (st.hasMoreTokens()) { 177 String data_str = st.nextToken(); 178 int len = data_str.length() / 2; 179 int i; 180 int b; // byte is signed, apparently?! XXX 181 for (i = 0; i < len; i++) { 182 // data[data_len] = Byte.parseByte( 183 // data_str.substring(i*2, i*2 + 2), 184 // 16); 185 b = Integer.parseInt( 186 data_str.substring(i*2, i*2 + 2), 187 16); 188 if (b >= 128) 189 b *= -1; 190 data[data_len] = (byte) b; 191 data_len++; 192 } 193 } 194 } 195 } 196 197 Examples: 198 199 An input control transfer to get a port status. 200 201 d5ea89a0 3575914555 S Ci:1:001:0 s a3 00 0000 0003 0004 4 < 202 d5ea89a0 3575914560 C Ci:1:001:0 0 4 = 01050000 203 204 An output bulk transfer to send a SCSI command 0x5E in a 31-byte Bulk wrapper 205 to a storage device at address 5: 206 207 dd65f0e8 4128379752 S Bo:1:005:2 -115 31 = 55534243 5e000000 00000000 00000600 00000000 00000000 00000000 000000 208 dd65f0e8 4128379808 C Bo:1:005:2 0 31 > 209 210 * Raw binary format and API 211 212 The overall architecture of the API is about the same as the one above, 213 only the events are delivered in binary format. Each event is sent in 214 the following structure (its name is made up, so that we can refer to it): 215 216 struct usbmon_packet { 217 u64 id; /* 0: URB ID - from submission to callback */ 218 unsigned char type; /* 8: Same as text; extensible. */ 219 unsigned char xfer_type; /* ISO (0), Intr, Control, Bulk (3) */ 220 unsigned char epnum; /* Endpoint number and transfer direction */ 221 unsigned char devnum; /* Device address */ 222 u16 busnum; /* 12: Bus number */ 223 char flag_setup; /* 14: Same as text */ 224 char flag_data; /* 15: Same as text; Binary zero is OK. */ 225 s64 ts_sec; /* 16: gettimeofday */ 226 s32 ts_usec; /* 24: gettimeofday */ 227 int status; /* 28: */ 228 unsigned int length; /* 32: Length of data (submitted or actual) */ 229 unsigned int len_cap; /* 36: Delivered length */ 230 unsigned char setup[8]; /* 40: Only for Control 'S' */ 231 }; /* 48 bytes total */ 232 233 These events can be received from a character device by reading with read(2), 234 with an ioctl(2), or by accessing the buffer with mmap. 235 236 The character device is usually called /dev/usbmonN, where N is the USB bus 237 number. Number zero (/dev/usbmon0) is special and means "all buses". 238 However, this feature is not implemented yet. Note that specific naming 239 policy is set by your Linux distribution. 240 241 If you create /dev/usbmon0 by hand, make sure that it is owned by root 242 and has mode 0600. Otherwise, unpriviledged users will be able to snoop 243 keyboard traffic. 244 245 The following ioctl calls are available, with MON_IOC_MAGIC 0x92: 246 247 MON_IOCQ_URB_LEN, defined as _IO(MON_IOC_MAGIC, 1) 248 249 This call returns the length of data in the next event. Note that majority of 250 events contain no data, so if this call returns zero, it does not mean that 251 no events are available. 252 253 MON_IOCG_STATS, defined as _IOR(MON_IOC_MAGIC, 3, struct mon_bin_stats) 254 255 The argument is a pointer to the following structure: 256 257 struct mon_bin_stats { 258 u32 queued; 259 u32 dropped; 260 }; 261 262 The member "queued" refers to the number of events currently queued in the 263 buffer (and not to the number of events processed since the last reset). 264 265 The member "dropped" is the number of events lost since the last call 266 to MON_IOCG_STATS. 267 268 MON_IOCT_RING_SIZE, defined as _IO(MON_IOC_MAGIC, 4) 269 270 This call sets the buffer size. The argument is the size in bytes. 271 The size may be rounded down to the next chunk (or page). If the requested 272 size is out of [unspecified] bounds for this kernel, the call fails with 273 -EINVAL. 274 275 MON_IOCQ_RING_SIZE, defined as _IO(MON_IOC_MAGIC, 5) 276 277 This call returns the current size of the buffer in bytes. 278 279 MON_IOCX_GET, defined as _IOW(MON_IOC_MAGIC, 6, struct mon_get_arg) 280 281 This call waits for events to arrive if none were in the kernel buffer, 282 then returns the first event. Its argument is a pointer to the following 283 structure: 284 285 struct mon_get_arg { 286 struct usbmon_packet *hdr; 287 void *data; 288 size_t alloc; /* Length of data (can be zero) */ 289 }; 290 291 Before the call, hdr, data, and alloc should be filled. Upon return, the area 292 pointed by hdr contains the next event structure, and the data buffer contains 293 the data, if any. The event is removed from the kernel buffer. 294 295 MON_IOCX_MFETCH, defined as _IOWR(MON_IOC_MAGIC, 7, struct mon_mfetch_arg) 296 297 This ioctl is primarily used when the application accesses the buffer 298 with mmap(2). Its argument is a pointer to the following structure: 299 300 struct mon_mfetch_arg { 301 uint32_t *offvec; /* Vector of events fetched */ 302 uint32_t nfetch; /* Number of events to fetch (out: fetched) */ 303 uint32_t nflush; /* Number of events to flush */ 304 }; 305 306 The ioctl operates in 3 stages. 307 308 First, it removes and discards up to nflush events from the kernel buffer. 309 The actual number of events discarded is returned in nflush. 310 311 Second, it waits for an event to be present in the buffer, unless the pseudo- 312 device is open with O_NONBLOCK. 313 314 Third, it extracts up to nfetch offsets into the mmap buffer, and stores 315 them into the offvec. The actual number of event offsets is stored into 316 the nfetch. 317 318 MON_IOCH_MFLUSH, defined as _IO(MON_IOC_MAGIC, 8) 319 320 This call removes a number of events from the kernel buffer. Its argument 321 is the number of events to remove. If the buffer contains fewer events 322 than requested, all events present are removed, and no error is reported. 323 This works when no events are available too. 324 325 FIONBIO 326 327 The ioctl FIONBIO may be implemented in the future, if there's a need. 328 329 In addition to ioctl(2) and read(2), the special file of binary API can 330 be polled with select(2) and poll(2). But lseek(2) does not work. 331 332 * Memory-mapped access of the kernel buffer for the binary API 333 334 The basic idea is simple: 335 336 To prepare, map the buffer by getting the current size, then using mmap(2). 337 Then, execute a loop similar to the one written in pseudo-code below: 338 339 struct mon_mfetch_arg fetch; 340 struct usbmon_packet *hdr; 341 int nflush = 0; 342 for (;;) { 343 fetch.offvec = vec; // Has N 32-bit words 344 fetch.nfetch = N; // Or less than N 345 fetch.nflush = nflush; 346 ioctl(fd, MON_IOCX_MFETCH, &fetch); // Process errors, too 347 nflush = fetch.nfetch; // This many packets to flush when done 348 for (i = 0; i < nflush; i++) { 349 hdr = (struct ubsmon_packet *) &mmap_area[vec[i]]; 350 if (hdr->type == '@') // Filler packet 351 continue; 352 caddr_t data = &mmap_area[vec[i]] + 64; 353 process_packet(hdr, data); 354 } 355 } 356 357 Thus, the main idea is to execute only one ioctl per N events. 358 359 Although the buffer is circular, the returned headers and data do not cross 360 the end of the buffer, so the above pseudo-code does not need any gathering.