Sniffing USB traffic with VMWareWed 06 April 2011 by jj
VMWare offers the possibility to dump any usb traffic at the lowest level to a dump file.We'll describe here how to activate this feature, and additionally publish a script to convert the dump file to the PCAP format, suitable for use with wireshark.
Enable USB logging
VMWare can be configured to dump all the low-level USB traffic going to a given virtual machine to a file on the host.
This functionnality is activated through the addition of a few lines in the .vmx virtual machine control file :
monitor = "debug" usb.analyzer.enable = TRUE usb.analyzer.maxLine = 8192 mouse.vusb.enable = FALSE
This will enable the log of the raw usb traffic to the vmware.log file, with the USBIO prefix.The maxline setting enables the full USB packet payload logging.
Once you start the virtual machine with these settings, beware that the log file may become very big quickly !
To make sense of the data gathered this way, a very good software is available : vsusb-analyser.
You can also refer to the project page for more information on the effects of the VMWare configuration elements.
As we were toying with the software, it appeared that the VMWare log format is not very compact or interoperable ; so we came around this limitation by writing a script that can convert the USB information back into a PCAP format.This way, we can watch the flow in Wireshark, or many other software.
It works pretty well for the data we tested it with, however please note that the PCAP format for USB is not very well documented, so ymmv.