How do I capture device specific USB packets with tshark?
I know the Device ID(0x0009), and Vendor ID(0x08f7) how can I specify the exact device I want to capture, via tshark?
Você pode querer dar uma olhada no tshark (1) - página man do Linux e o tshark - página do manual do Wireshark e as opções de troca -f e -i .
Além disso, dê uma olhada nos Filtros de Captura Wireshark e Referência de filtro de exibição USB Wireshark , que pode ser útil na criação de comandos aplicáveis para filtrar e atender às suas necessidades.
Você pode usar uma expressão de filtro de captura, como usb.device_address == # ou usb.addr == # com a opção -f , para que a detecção apenas capture pacotes de um dispositivo USB específico.
tshark - Wireshark man page
A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter expression. Capture filters are supported only when doing a live capture; read filters are supported when doing a live capture and when reading a capture file, but require TShark to do more work when filtering, so you might be more likely to lose packets under heavy load if you're using a read filter. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).
-f <capture filter>Set the capture filter expression.
This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided.
source
tshark(1) - Linux man page
-i <capture interface>|-Set the name of the network interface or pipe to use for live packet capture.
Network interface names should match one of the names listed in "tshark -D" (described above); a number, as reported by "tshark -D", can also be used. If you're using UNIX , "netstat -i" or "ifconfig -a" might also work to list interface names, although not all versions of UNIX support the -a option to ifconfig.
If no interface is specified, TShark searches the list of interfaces, choosing the first non-loopback interface if there are any non-loopback interfaces, and choosing the first loopback interface if there are no non-loopback interfaces. If there are no interfaces at all, TShark reports an error and doesn't start the capture.
Pipe names should be either the name of a FIFO (named pipe) or ''-'' to read data from the standard input. Data read from pipes must be in standard libpcap format.
Note: the Win32 version of TShark doesn't support capturing from pipes!