Capture USB Traffic To convert it to PCAP Format

NTDEV
1

Hello,

I am working at the moment with Wireshark dissecting sw. And
I want USB Protocol Packets to be decoded by any packet
capturing tool such as Wireshark or TCPDump, which has not
yet been done. (According to my knowledge)

I followed several links, in the forum regarding this, as following

http://www.osronline.com/showThread.cfm?link=95875

But there is this simple question that is still unclear to me.
Where should we place our filter driver is it on top of
usbport.sys (host controller driver) for me to
capture raw usb traffic.

placing it on top of usbhub.sys dont support every URB. as
is said in the forum.
http://www.osronline.com/showThread.cfm?link=95329

I dont worry about High speed traffic for the moment. only full speed
(12Mbps).

I am using windows XP right now, and would be delighted
to find a good starting point for my project. (Possibly
a sample driver in DDk)

Thanks in advance

Varuna

2

Hi
I am also working on some similar stuffs. But I think hooking in usbhub.sys may help you.

Regards,
Barun

3

Varuna De Silva wrote:

I am working at the moment with Wireshark dissecting sw. And
I want USB Protocol Packets to be decoded by any packet
capturing tool such as Wireshark or TCPDump, which has not
yet been done. (According to my knowledge)

I don’t see how that would be useful. Wireshark/Ethereal and TCPDump
both analyze network protocols. USB doesn’t use network protocols.
There are no IP or MAC addresses. There’s no frame of reference for
these packages. You’d have to write an entirely new analyzer module,
and as long as you’re doing that, you might as well use one of the
existing packages.

But there is this simple question that is still unclear to me.
Where should we place our filter driver is it on top of
usbport.sys (host controller driver) for me to
capture raw usb traffic.

You can’t capture raw USB traffic. That is all managed by the host
controller hardware, and is never exposed in software. The best you can
do is capture the URBs as they are transmitted to and from the host
controller. Usually, that’s good enough. If it’s not, then you need a
real hardware bus analyzer.

The HHD USB Monitor, which is a USB sniffer just like you describe,
works by installing a class upper filter to the USB Host Controller
class, in {36FC9E60-C465-11CF-8056-444553540000}.

placing it on top of usbhub.sys dont support every URB. as
is said in the forum.
http://www.osronline.com/showThread.cfm?link=95329

I don’t see how you got that interpretation from what I said.

I am using windows XP right now, and would be delighted
to find a good starting point for my project. (Possibly
a sample driver in DDk)

There is a good generic filter driver in the KMDF samples. You could
start there. However, you need to take a close look at the HHD USB
Monitor and USB Snoopy before you go reinventing the wheel. This
problem has already been solved.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

4

----- Original Message -----
From: “Tim Roberts”
To: “Windows System Software Devs Interest List”
Sent: Friday, October 12, 2007 9:29 AM
Subject: Re: [ntdev] Capture USB Traffic To convert it to PCAP Format

> Varuna De Silva wrote:
>>
>> I am working at the moment with Wireshark dissecting sw. And
>> I want USB Protocol Packets to be decoded by any packet
>> capturing tool such as Wireshark or TCPDump, which has not
>> yet been done. (According to my knowledge)
>
> I don’t see how that would be useful. Wireshark/Ethereal and TCPDump
> both analyze network protocols. USB doesn’t use network protocols.
> There are no IP or MAC addresses. There’s no frame of reference for
> these packages. You’d have to write an entirely new analyzer module,
> and as long as you’re doing that, you might as well use one of the
> existing packages.

Well, over time Wireshark has become a sort of analyzer for whatever
information is transfered into “packets”, including USB as traffic. If the
vast majority of WS dissectors are for network packets, I think there are
also dissectors for packets that I wouldn’t consider network packets.
Someone has actually added support for USB sniffing in libpcap (the capture
library used by Wireshark) under linux. I don’t know what is the status of
the wireshark USB dissectors, though.

Have a nice day
GV

>
>
>> But there is this simple question that is still unclear to me.
>> Where should we place our filter driver is it on top of
>> usbport.sys (host controller driver) for me to
>> capture raw usb traffic.
>
> You can’t capture raw USB traffic. That is all managed by the host
> controller hardware, and is never exposed in software. The best you can
> do is capture the URBs as they are transmitted to and from the host
> controller. Usually, that’s good enough. If it’s not, then you need a
> real hardware bus analyzer.
>
> The HHD USB Monitor, which is a USB sniffer just like you describe,
> works by installing a class upper filter to the USB Host Controller
> class, in {36FC9E60-C465-11CF-8056-444553540000}.
>
>
>> placing it on top of usbhub.sys dont support every URB. as
>> is said in the forum.
>> http://www.osronline.com/showThread.cfm?link=95329
>
> I don’t see how you got that interpretation from what I said.
>
>
>> I am using windows XP right now, and would be delighted
>> to find a good starting point for my project. (Possibly
>> a sample driver in DDk)
>
> There is a good generic filter driver in the KMDF samples. You could
> start there. However, you need to take a close look at the HHD USB
> Monitor and USB Snoopy before you go reinventing the wheel. This
> problem has already been solved.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

5

Thanks Tim/Gianluca/Barun For your Detailed Replies,
We are a team of undergrads doing our final year project, and are
delighted by your expertise.

On 10/12/07, Tim Roberts wrote:
>
> Varuna De Silva wrote:
> >
> > I am working at the moment with Wireshark dissecting sw. And
> > I want USB Protocol Packets to be decoded by any packet
>
I don’t see how that would be useful. Wireshark/Ethereal and TCPDump
> both analyze network protocols.

There is a way to get it done by attaching a Libpcap Header which says
wireshark or any other packet capturing tool so that it can dissect the
packet not as a Network packet but as some thing else such as
SS7 or USB.

You can’t capture raw USB traffic. That is all managed by the host
> controller hardware, and is never exposed in software. The best you can
> do is capture the URBs as they are transmitted to and from the host
> controller.
>
Thats perfect What I want is URB s for now.

> placing it on top of usbhub.sys dont support every URB. as
> > is said in the forum.
> > http://www.osronline.com/showThread.cfm?link=95329
>
> I don’t see how you got that interpretation from what I said.

Sorry for the mistake its not that link but the following, and its not
you who told so :slight_smile:

http://www.osronline.com/showThread.cfm?link=95332

But anyway that doubt is cleared, even Barun says so.

There is a good generic filter driver in the KMDF samples. You could
> start there. However, you need to take a close look at the HHD USB
> Monitor and USB Snoopy before you go reinventing the wheel. This
> problem has already been solved.

I am already going through on USB snoopy For Sure :-).

Thank you all again for the help.

Xavier