I've found (hopefully) all I need in order to setup Wireshark and usbmon kernel module - including allowing a non-root user to capture USB traffic: https://www.wireshark.org/docs/wsug_html_chunked/ChCustCommandLine.html
However, when it comes to trying it all together - not a single resource on SE or Google has an example of a command line to start capture and dump it to a file that I can open in GUI and analyze.
It looks like it's tshark command in charge of capturing stuff from the command line.
First, we need to identify the device we want to capture. Use tshark -D
$ tshark -D
1. enp1s0
2. lo (Loopback)
3. any
4. bluetooth-monitor
5. nflog
6. nfqueue
7. bluetooth0
8. usbmon0
9. bluetooth1
10. usbmon1
11. usbmon2
12. ciscodump (Cisco remote capture)
13. dpauxmon (DisplayPort AUX channel monitor capture)
14. randpkt (Random packet generator)
15. sdjournal (systemd Journal Export)
16. sshdump (SSH remote capture)
17. udpdump (UDP Listener remote capture)
By trial and error, we find that it's device #10 we are interested in capturing, so we run:
$ tshark -i 10
Capturing on 'usbmon1'
1 0.000000 host → 1.2.0 USB 64 GET DESCRIPTOR Request DEVICE
2 0.000160 1.2.0 → host USB 82 GET DESCRIPTOR Response DEVICE
NOTE: tshark -i usbmon1 also works.
Use -c [number] to limit the number of rows, and -w [out file name].pcap to save the capture in pcap format that can be imported into Wireshark GUI.
$ tshark -c 100 -i 10 -w usbmon1-dump.pcap