usb sniffing using wireshark
A while back Kirk gave me a webcam that has pan and tilt control. It works well under Windows. But I’m a masochist — and I already have a weather station + insolation + multiple temperature measurement setup for an old linux laptop, and I thought it’d be nice to add a pan&tilt webcam to the mix.
The webcam is a Creative Live! Motion cam. It uses a standard ccd for which drivers are included in the mainline kernel so camorama et al can get video from it natively. But that doesn’t handle motion.
Soooo I fired up wireshark, preparing to copy these guys:
who reverse-engineered the screendump program for an oscilloscope (and found that the scope actually dumps a nice full-color high-resolution screencap that the stock software degrades to a small monochrome picture.)
So I installed XP in virtualbox, installed the cam drivers in XP, and fired up the camera.
Problem 1: no USB. I solved this by running virtualbox as root.
Problem 2: XP crashed the moment I tried to do anything with the camera. I solved this by starting virtualbox as root, and doing the whole XP install from that — just copying over a VM made as a user didn’t do it.
At this point the camera is stable in XP.
Problem 3: wireshark crashed the camera connection. As soon as wireshark came up, the USB stream got broken.
My friend Brian pointed out that other people have had problems with old versions of libpcap, upon which wireshark relies. Turns out even recent versions of Ubuntu and Mint have wireshark packages from 2007.
Independent repositories to the rescue: ppa:jelmer/daily will provide you with (as of right now) wireshark 1.4.2 rather than the stock 0.9 and that has a libpcap that works beautifully.
So now I can drive the video camera around, taking pictures, and logging usb commands. I can look through the packets — ignoring the 64kbyte ones, that are just chatter between the computer and the camera and analyzing the packets that are larger than that — and start figuring out how I can copy them.
That’s as far as I’ve gotten so far, because now I’m learning how to use wireshark’s filters so I can have it show only the differences between sequential packets.