On Apr 1, 2010, at 1:04 PM, Chris Maynard wrote:

> I was under the impression that libpcap allowed one to capture raw USB traffic
> (See http://wiki.wireshark.org/CaptureSetup/USB).  However, with libpcap 1.1, 
> this doesn't seem to work as I get an error from pcap_compile() with 
> pcap_geterr() returning, "USB link-layer type filtering not implemented".

What string are you passing to pcap_compile()?
> Looking at the libpcap source code in gencode.c:gen_linktype(), it seem would 
> seem to me that this really is the case and that it's not supported.

        XXX link-layer type filtering not implemented


        capturing on XXX not implemented

are different.

You can capture raw USB traffic with libpcap 1.x on Linux.  You just can't do 
any filtering with expressions that test anything other than the raw data.

> Can anyone comment?  Was it supported at one point but support was removed?

No.  It was never supported.

> Or am I just doing something wrong?

If you're passing to pcap_compile() a string that includes any filter 
primitives other than the "{expr} {relop} {expr}" primitives mentioned in the 
pcap-filter man page, or where any of the "special packet data accessors" 
({proto}[{expr}:{size}]) have a {proto} other than "link", yes, you're doing 
something wrong - that's not supported for USB (or IrDA or DOCSIS or LAPD or 
Bluetooth or IEEE 802.15.4 or IEEE 802.16 or AX.25 or CANbus or...).-
