3 The name "usbmon" in lowercase refers to a facility in kernel which is
4 used to collect traces of I/O on the USB bus. This function is analogous
5 to a packet socket used by network monitoring tools such as tcpdump(1)
6 or Ethereal. Similarly, it is expected that a tool such as usbdump or
7 USBMon (with uppercase letters) is used to examine raw traces produced
10 The usbmon reports requests made by peripheral-specific drivers to Host
11 Controller Drivers (HCD). So, if HCD is buggy, the traces reported by
12 usbmon may not correspond to bus transactions precisely. This is the same
13 situation as with tcpdump.
15 * How to use usbmon to collect raw text traces
17 Unlike the packet socket, usbmon has an interface which provides traces
18 in a text format. This is used for two purposes. First, it serves as a
19 common trace exchange format for tools while most sophisticated formats
20 are finalized. Second, humans can read it in case tools are not available.
22 To collect a raw text trace, execute following steps.
26 Mount debugfs (it has to be enabled in your kernel configuration), and
27 load the usbmon module (if built as module). The second step is skipped
28 if usbmon is built into the kernel.
30 # mount -t debugfs none_debugs /sys/kernel/debug
34 Verify that bus sockets are present.
36 # ls /sys/kernel/debug/usbmon
37 1s 1t 2s 2t 3s 3t 4s 4t
40 2. Find which bus connects to the desired device
42 Run "cat /proc/bus/usb/devices", and find the T-line which corresponds to
43 the device. Usually you do it by looking for the vendor string. If you have
44 many similar devices, unplug one and compare two /proc/bus/usb/devices outputs.
45 The T-line will have a bus number. Example:
47 T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
48 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1
49 P: Vendor=0557 ProdID=2004 Rev= 1.00
51 S: Product=UC100KM V2.00
53 Bus=03 means it's bus 3.
57 # cat /sys/kernel/debug/usbmon/3t > /tmp/1.mon.out
59 This process will be reading until killed. Naturally, the output can be
60 redirected to a desirable location. This is preferred, because it is going
63 4. Perform the desired operation on the USB bus
65 This is where you do something that creates the traffic: plug in a flash key,
66 copy files, control a webcam, etc.
70 Usually it's done with a keyboard interrupt (Control-C).
72 At this point the output file (/tmp/1.mon.out in this example) can be saved,
73 sent by e-mail, or inspected with a text editor. In the last case make sure
74 that the file size is not excessive for your favourite editor.
76 * Raw text data format
78 The '1t' type data consists of a stream of events, such as URB submission,
79 URB callback, submission error. Every event is a text line, which consists
80 of whitespace separated words. The number or position of words may depend
81 on the event type, but there is a set of words, common for all types.
83 Here is the list of words, from left to right:
84 - URB Tag. This is used to identify URBs is normally a kernel mode address
85 of the URB structure in hexadecimal.
86 - Timestamp in microseconds, a decimal number. The timestamp's resolution
87 depends on available clock, and so it can be much worse than a microsecond
88 (if the implementation uses jiffies, for example).
89 - Event Type. This type refers to the format of the event, not URB type.
90 Available types are: S - submission, C - callback, E - submission error.
91 - "Pipe". The pipe concept is deprecated. This is a composite word, used to
92 be derived from information in pipes. It consists of three fields, separated
93 by colons: URB type and direction, Device address, Endpoint number.
94 Type and direction are encoded with two bytes in the following manner:
95 Ci Co Control input and output
96 Zi Zo Isochronous input and output
97 Ii Io Interrupt input and output
98 Bi Bo Bulk input and output
99 Device address and Endpoint number are 3-digit and 2-digit (respectively)
100 decimal numbers, with leading zeroes.
101 - URB Status. In most cases, this field contains a number, sometimes negative,
102 which represents a "status" field of the URB. This field makes no sense for
103 submissions, but is present anyway to help scripts with parsing. When an
104 error occurs, the field contains the error code. In case of a submission of
105 a Control packet, this field contains a Setup Tag instead of an error code.
106 It is easy to tell whether the Setup Tag is present because it is never a
107 number. Thus if scripts find a number in this field, they proceed to read
108 Data Length. If they find something else, like a letter, they read the setup
109 packet before reading the Data Length.
110 - Setup packet, if present, consists of 5 words: one of each for bmRequestType,
111 bRequest, wValue, wIndex, wLength, as specified by the USB Specification 2.0.
112 These words are safe to decode if Setup Tag was 's'. Otherwise, the setup
113 packet was present, but not captured, and the fields contain filler.
114 - Data Length. For submissions, this is the requested length. For callbacks,
115 this is the actual length.
116 - Data tag. The usbmon may not always capture data, even if length is nonzero.
117 The data words are present only if this tag is '='.
118 - Data words follow, in big endian hexadecimal format. Notice that they are
119 not machine words, but really just a byte stream split into words to make
120 it easier to read. Thus, the last word may contain from one to four bytes.
121 The length of collected data is limited and can be less than the data length
122 report in Data Length word.
124 Here is an example of code to read the data stream in a well known programming
128 int data_len; /* Available length of data */
131 void parseData(StringTokenizer st) {
132 int availwords = st.countTokens();
133 data = new byte[availwords * 4];
135 while (st.hasMoreTokens()) {
136 String data_str = st.nextToken();
137 int len = data_str.length() / 2;
139 int b; // byte is signed, apparently?! XXX
140 for (i = 0; i < len; i++) {
141 // data[data_len] = Byte.parseByte(
142 // data_str.substring(i*2, i*2 + 2),
144 b = Integer.parseInt(
145 data_str.substring(i*2, i*2 + 2),
149 data[data_len] = (byte) b;
156 This format may be changed in the future.
160 An input control transfer to get a port status.
162 d5ea89a0 3575914555 S Ci:001:00 s a3 00 0000 0003 0004 4 <
163 d5ea89a0 3575914560 C Ci:001:00 0 4 = 01050000
165 An output bulk transfer to send a SCSI command 0x5E in a 31-byte Bulk wrapper
166 to a storage device at address 5:
168 dd65f0e8 4128379752 S Bo:005:02 -115 31 = 55534243 5e000000 00000000 00000600 00000000 00000000 00000000 000000
169 dd65f0e8 4128379808 C Bo:005:02 0 31 >
171 * Raw binary format and API
173 The overall architecture of the API is about the same as the one above,
174 only the events are delivered in binary format. Each event is sent in
175 the following structure (its name is made up, so that we can refer to it):
177 struct usbmon_packet {
178 u64 id; /* 0: URB ID - from submission to callback */
179 unsigned char type; /* 8: Same as text; extensible. */
180 unsigned char xfer_type; /* ISO (0), Intr, Control, Bulk (3) */
181 unsigned char epnum; /* Endpoint number and transfer direction */
182 unsigned char devnum; /* Device address */
183 u16 busnum; /* 12: Bus number */
184 char flag_setup; /* 14: Same as text */
185 char flag_data; /* 15: Same as text; Binary zero is OK. */
186 s64 ts_sec; /* 16: gettimeofday */
187 s32 ts_usec; /* 24: gettimeofday */
188 int status; /* 28: */
189 unsigned int length; /* 32: Length of data (submitted or actual) */
190 unsigned int len_cap; /* 36: Delivered length */
191 unsigned char setup[8]; /* 40: Only for Control 'S' */
192 }; /* 48 bytes total */
194 These events can be received from a character device by reading with read(2),
195 with an ioctl(2), or by accessing the buffer with mmap.
197 The character device is usually called /dev/usbmonN, where N is the USB bus
198 number. Number zero (/dev/usbmon0) is special and means "all buses".
199 However, this feature is not implemented yet. Note that specific naming
200 policy is set by your Linux distribution.
202 If you create /dev/usbmon0 by hand, make sure that it is owned by root
203 and has mode 0600. Otherwise, unpriviledged users will be able to snoop
206 The following ioctl calls are available, with MON_IOC_MAGIC 0x92:
208 MON_IOCQ_URB_LEN, defined as _IO(MON_IOC_MAGIC, 1)
210 This call returns the length of data in the next event. Note that majority of
211 events contain no data, so if this call returns zero, it does not mean that
212 no events are available.
214 MON_IOCG_STATS, defined as _IOR(MON_IOC_MAGIC, 3, struct mon_bin_stats)
216 The argument is a pointer to the following structure:
218 struct mon_bin_stats {
223 The member "queued" refers to the number of events currently queued in the
224 buffer (and not to the number of events processed since the last reset).
226 The member "dropped" is the number of events lost since the last call
229 MON_IOCT_RING_SIZE, defined as _IO(MON_IOC_MAGIC, 4)
231 This call sets the buffer size. The argument is the size in bytes.
232 The size may be rounded down to the next chunk (or page). If the requested
233 size is out of [unspecified] bounds for this kernel, the call fails with
236 MON_IOCQ_RING_SIZE, defined as _IO(MON_IOC_MAGIC, 5)
238 This call returns the current size of the buffer in bytes.
240 MON_IOCX_GET, defined as _IOW(MON_IOC_MAGIC, 6, struct mon_get_arg)
242 This call waits for events to arrive if none were in the kernel buffer,
243 then returns the first event. Its argument is a pointer to the following
247 struct usbmon_packet *hdr;
249 size_t alloc; /* Length of data (can be zero) */
252 Before the call, hdr, data, and alloc should be filled. Upon return, the area
253 pointed by hdr contains the next event structure, and the data buffer contains
254 the data, if any. The event is removed from the kernel buffer.
256 MON_IOCX_MFETCH, defined as _IOWR(MON_IOC_MAGIC, 7, struct mon_mfetch_arg)
258 This ioctl is primarily used when the application accesses the buffer
259 with mmap(2). Its argument is a pointer to the following structure:
261 struct mon_mfetch_arg {
262 uint32_t *offvec; /* Vector of events fetched */
263 uint32_t nfetch; /* Number of events to fetch (out: fetched) */
264 uint32_t nflush; /* Number of events to flush */
267 The ioctl operates in 3 stages.
269 First, it removes and discards up to nflush events from the kernel buffer.
270 The actual number of events discarded is returned in nflush.
272 Second, it waits for an event to be present in the buffer, unless the pseudo-
273 device is open with O_NONBLOCK.
275 Third, it extracts up to nfetch offsets into the mmap buffer, and stores
276 them into the offvec. The actual number of event offsets is stored into
279 MON_IOCH_MFLUSH, defined as _IO(MON_IOC_MAGIC, 8)
281 This call removes a number of events from the kernel buffer. Its argument
282 is the number of events to remove. If the buffer contains fewer events
283 than requested, all events present are removed, and no error is reported.
284 This works when no events are available too.
288 The ioctl FIONBIO may be implemented in the future, if there's a need.
290 In addition to ioctl(2) and read(2), the special file of binary API can
291 be polled with select(2) and poll(2). But lseek(2) does not work.
293 * Memory-mapped access of the kernel buffer for the binary API
295 The basic idea is simple:
297 To prepare, map the buffer by getting the current size, then using mmap(2).
298 Then, execute a loop similar to the one written in pseudo-code below:
300 struct mon_mfetch_arg fetch;
301 struct usbmon_packet *hdr;
304 fetch.offvec = vec; // Has N 32-bit words
305 fetch.nfetch = N; // Or less than N
306 fetch.nflush = nflush;
307 ioctl(fd, MON_IOCX_MFETCH, &fetch); // Process errors, too
308 nflush = fetch.nfetch; // This many packets to flush when done
309 for (i = 0; i < nflush; i++) {
310 hdr = (struct ubsmon_packet *) &mmap_area[vec[i]];
311 if (hdr->type == '@') // Filler packet
313 caddr_t data = &mmap_area[vec[i]] + 64;
314 process_packet(hdr, data);
318 Thus, the main idea is to execute only one ioctl per N events.
320 Although the buffer is circular, the returned headers and data do not cross
321 the end of the buffer, so the above pseudo-code does not need any gathering.