Sniffing USB traffic with VMWare

Wed 06 April 2011 by jj

VMWare offers the possibility to dump any usb traffic at the lowest level to a dump file.We'll describe here how to activate this feature, and additionally publish a script to convert the dump file to the PCAP format, suitable for use with wireshark.

Enable USB logging

VMWare can be configured to dump all the low-level USB traffic going to a given virtual machine to a file on the host.

This functionnality is activated through the addition of a few lines in the .vmx virtual machine control file :

monitor = "debug"
usb.analyzer.enable = TRUE
usb.analyzer.maxLine = 8192
mouse.vusb.enable = FALSE

This will enable the log of the raw usb traffic to the vmware.log file, with the USBIO prefix.The maxline setting enables the full USB packet payload logging.

Once you start the virtual machine with these settings, beware that the log file may become very big quickly !

Analysing data

To make sense of the data gathered this way, a very good software is available : vsusb-analyser.

You can also refer to the project page for more information on the effects of the VMWare configuration elements.

As we were toying with the software, it appeared that the VMWare log format is not very compact or interoperable ; so we came around this limitation by writing a script that can convert the USB information back into a PCAP format.This way, we can watch the flow in Wireshark, or many other software.

It works pretty well for the data we tested it with, however please note that the PCAP format for USB is not very well documented, so ymmv.