Linux下抓取usb总线数据

文章目录

一、概述

本文主要讲述的是在Linux环境下如何抓usb数据，就类似于在Windows环境使用bushound，当然该软件只能抓到应用层的的数据，至于usb的底层交互数据比如令牌包握手包等协议数据是看不到的。

二、环境搭建

Linux环境抓取usb总线数据需要先安装usbmon和tcpdump工具，tcpdump工具比较常见，这里说下安装usbmon，实际也比较简单。首先检查是否存在目录 /sys/kernel/debug/usb/usbmon，如果不存在证明没有安装这个工具。

root@Vostro:/sys/kernel/debug/usb# ls
devices  ehci  ohci  uhci  xhci

我们使用tcpdump -D查看如下（方便后面做一个对比）：

root@Vostro:/sys/bus/usb/devices/1-5# tcpdump -D
1.enp2s0 [Up, Running, Connected]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.wlp3s0 [Up, Wireless, Not associated]
5.bluetooth0 (Bluetooth adapter number 0) [Wireless, Association status unknown]
6.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
7.nflog (Linux netfilter log (NFLOG) interface) [none]
8.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
9.dbus-system (D-Bus system bus) [none]
10.dbus-session (D-Bus session bus) [none]

使用modprobe usbmon 进行安装，对应文件夹下会多出usbmon文件夹

root@Vostro:/sys/kernel/debug/usb# ls
devices  ehci  ohci  uhci  xhci
root@Vostro:/sys/kernel/debug/usb# modprobe usbmon
root@Vostro:/sys/kernel/debug/usb# 
root@Vostro:/sys/kernel/debug/usb# 
root@Vostro:/sys/kernel/debug/usb# ls
devices  ehci  ohci  uhci  usbmon  xhci

再使用tcpdump -D查看如下，我们可以看到多了usbmon0/1/2。

root@Vostro:/sys/kernel/debug/usb# tcpdump -D
1.enp2s0 [Up, Running, Connected]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.wlp3s0 [Up, Wireless, Not associated]
5.bluetooth0 (Bluetooth adapter number 0) [Wireless, Association status unknown]
6.bluetooth-monitor (Bluetooth Linux Monitor) [Wireless]
7.usbmon2 (Raw USB traffic, bus number 2)
8.usbmon1 (Raw USB traffic, bus number 1)
9.usbmon0 (Raw USB traffic, all USB buses) [none]
10.nflog (Linux netfilter log (NFLOG) interface) [none]
11.nfqueue (Linux netfilter queue (NFQUEUE) interface) [none]
12.dbus-system (D-Bus system bus) [none]
13.dbus-session (D-Bus session bus) [none]

工具安装好以后，我们要抓取对应设备总线上的usb信息，需要查看当前上位机usb相关设备的信息，确定你要抓的设备在哪条usb总线上面。
可以使用lsusb命令，如果不支持该条命令，也可以 cat /sys/kernel/debug/usb/devices，根据设备的PID VID我们可以判断出哪个设备是我们要抓数据的设备，同时可以看到对应的Bus Num和对应总线上面的Device Num。

root@Vostro:/sys/kernel/debug/usb# usb-devices 

T:  Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#=  1 Spd=480 MxCh=10
D:  Ver= 2.00 Cls=09(hub  ) Sub=00 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=1d6b ProdID=0002 Rev=05.15
S:  Manufacturer=Linux 5.15.0-60-generic xhci-hcd
S:  Product=xHCI Host Controller
S:  SerialNumber=0000:00:14.0
C:  #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub
E:  Ad=81(I) Atr=03(Int.) MxPS=   4 Ivl=256ms

T:  Bus=01 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#=  5 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0cf3 ProdID=e005 Rev=00.02
C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:  If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:  If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms

T:  Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#=  1 Spd=5000 MxCh= 4
D:  Ver= 3.00 Cls=09(hub  ) Sub=00 Prot=03 MxPS= 9 #Cfgs=  1
P:  Vendor=1d6b ProdID=0003 Rev=05.15
S:  Manufacturer=Linux 5.15.0-60-generic xhci-hcd
S:  Product=xHCI Host Controller
S:  SerialNumber=0000:00:14.0
C:  #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub
E:  Ad=81(I) Atr=03(Int.) MxPS=   4 Ivl=256ms
root@Vostro:/sys/kernel/debug/usb#

三、实例与测试

假如你需要抓取05c6 90b2这个设备的usb数据，它是在bus1 上面，运行tcpdump -i usbmon1 -w ./usblog.pcap,如果设备在bus2上面换成usbmon2以此类推。

root@Vostro:~/Joy/Test$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 004: ID 0bda:0129 Realtek Semiconductor Corp. RTS5129 Card Reader Controller
Bus 001 Device 101: ID 05c6:90b2 Qualcomm, Inc. Modem
Bus 001 Device 005: ID 0cf3:e005 Qualcomm Atheros Communications 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

root@Vostro:~/Joy/Test$ tcpdump -i usbmon1 -w ./usblog.pcap
tcpdump: listening on usbmon1, link-type USB_LINUX_MMAPPED (USB with padded Linux header), snapshot length 245824 bytes
^C1424 packets captured
1424 packets received by filter
0 packets dropped by kernel

将抓取的pcap文件在Windows上面使用wireshark软件打开（如下图），为了方便查看你可以对source，destination等进行筛选，查看你要追踪的设备上面的usb数据
在这里插入图片描述
至此在Linux下面抓usb数据我们就说完了，如果觉得讲的还不错，给博主点个赞吧😊🤞