Friday, April 8, 2011

Sniffing USB traffic with VMWare

VMWare offers the possibility to dump any usb traffic at the lowest level to a dump file. We'll describe here how to activate this feature, and additionally publish a script to convert the dump file to the PCAP format, suitable for use with wireshark.

Enable USB logging

VMWare can be configured to dump all the low-level USB traffic going to a given virtual machine to a file on the host. This functionality is activated through the addition of a few lines in the .vmx virtual machine control file :

monitor = "debug"
usb.analyzer.enable = TRUE
usb.analyzer.maxLine = 8192
mouse.vusb.enable = FALSE

This will enable the log of the raw usb traffic to the vmware.log file, with the USBIO prefix. The maxline setting enables the full USB packet payload logging. Once you start the virtual machine with these settings, beware that the log file may become very big quickly !

To make sense of the data gathered this way, a very good software is available : vsusb-analyser. You can also refer to the project page for more information on the effects of the VMWare configuration elements. It appears that the VMWare log format is not very compact or interoperable ; so Soget ESEC Lab wrote a script that can convert the USB information back into a PCAP format. This way, you can watch the flow in Wireshark, or many other software. Please note that the PCAP format for USB is not very well documented, so ymmv.