search

desowin / usbpcap

USB packet capture for Windows
http://desowin.org/usbpcap
888 stars 168 forks source link

Can't capture packets from one device #16

Open jonri opened 9 years ago

jonri commented 9 years ago

I've got a USB device that I can't seem to capture any packets from. If I capture from option 1 below, I get a 24-byte .pcap file which Wireshark says is empty. If I capture from option 2, the file fills up as expected. I'm on Windows 7 64-bit, running from an admin cmd prompt. My version is 1.0.0.7, I haven't tried to mess with compiling from Git yet. What can I do to debug this?

C:\Program Files\USBPcap>USBPcapCMD.exe
Following filter control devices are available:
1 \\.\USBPcap1
  \??\USB#ROOT_HUB20#4&35fa9cd2&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
    [Port 1] Generic USB Hub
      [Port 2] Sigma Designs USB Device
2 \\.\USBPcap2
  \??\USB#ROOT_HUB20#4&12de2100&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
    [Port 1] Generic USB Hub
      [Port 2] USB Composite Device
        USB 2.0 UVC 0.3M WebCam
Select filter to monitor (q to quit): 1
Output file name (.pcap): usb.pcap
desowin commented 9 years ago

I understand that you cannot capture from Sigma Designs USB Device, right? What does this device do?

Do you have access to Windows 7 32-bit? You could use the IrpTracker [1] to check what the driver sends and how.

[1] http://www.osronline.com/article.cfm?article=199

jonri commented 9 years ago

Yes... It's a video capture device.

I think I've got a Vista 32-bit install DVD lying around somewhere, it's going to be a bit of a pain to get it set up though. Is there anything else I should try from usbpcap in the meantime?

LRFLEW commented 6 years ago

I'm having a similar problem (probably the same issue). I can see my Razer Ripsaw in the device list, but no data gets captured from it.

To try to work around the issue, I tried using the device from inside a VirtualBox virtual machine. When done this way, USBPcap (on the host) can see the data, and appears to record it properly. However, the device doesn't work properly in this setup (possibly due to VirtualBox not supporting some type of USB message), so the data I get from the capture isn't all that useful.

iDawer commented 5 years ago

Same here with USBPcap 1.2.0.4 and USB ADSL WAN Modem (D-Link DSL-200 Generation III). Had tried on windows 10 x64, windows 7 x64, windows xp x32. I can capture other usb devices exept modem. On windows xp I was able to capture with usbsnoop 1.8. On windows 10 logman or Message Analyzer can do this but lacking payload for control out transfer (exactly what I'm looking for) even with FullDataBusTrace option enabled.

USBPcapCMD windows 10 x64

Following filter control devices are available:
1 \\.\USBPcap1
  \??\USB#ROOT_HUB20#4&3bc5fdf&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
    [Port 1] Generic USB Hub
      [Port 2] Qualcomm Atheros AR3012 Bluetooth(R) Adapter
      [Port 3] USB Composite Device
        USB2.0 Camera
2 \\.\USBPcap2
  \??\USB#ROOT_HUB30#4&1e8aefda&0&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
3 \\.\USBPcap3
  \??\USB#ROOT_HUB20#4&1501d67&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
    [Port 1] Generic USB Hub
      [Port 2] D-Link USB ADSL WAN Modem
      [Port 4] HID-compliand device
        HID-compliant mouse
Select filter to monitor (q to quit):

I can capture HID-compliant mouse well but not the modem.

IRPMon

I found IRPMon is similar to IrpTracker and works on x64.

  1. Here usbhub communicating with pdo8 (modem):

usbhub_pdo8 modem _hooked-irpmon usbhub_pdo8(modem)_hooked-IRPMon.log

  1. Here \Driver\wanusb+\Device\ADSLUSB:

wanusb_adslusb_hooked-irpmon IRPMon shows empty log.

  1. Just to compare I captured \Driver\HidUsb+\Device\63 (mouse):

hidusb_device0x63 mouse _hooked_irpmon hidusb_device0x63(mouse)_hooked_IRPMon.log

  1. Next I followed @LRFLEW 's comment and started a windows XP VirtualBox machine (without wanusb driver installed). Set up hooks \Driver\wanusb+\Device\ADSLUSB and clicked to connect modem to the guest machine. All messages captured was a single IRQL = Passive, Type = Unload I also captured packets with USBPcap through Wireshark host_capture_forwarded_modem.pcapng.gz After disabling guest usb forwarding it shows some initialisation hub requests on host but then any further messages stops. Meanwhile modem is getting start up and doing DSL line synchronisation, wich means wanusb driver is working now. I had also tried to install drivers on the guest and sniff from the host but modem cannot work correctly in this setup (cannot get DSL line synchronisation). Now IRPMon shows this: vbox_usb_forwarding

My knowledge on internals is small so if you would suggest me where to dig I can provide more information. Sorry for my crooked English.

desowin commented 5 years ago

USBPcap 1.4.0.0 logs unhandled URB Functions with the type URB_UNKNOWN (0xFF). Could you please check if there are any of such packets logged when using USBPcap 1.4.0.0?

antoniovazquezblanco commented 6 months ago

I believe I am facing this same bug. I am running USBPcap 1.5.4.0 along Wireshark and I cannot see traffic of my "Intel(R) Wireless Bluetooth(R)" in the same bus as many other devices which I can clearly monitor.

I have tried to switch my device driver to WinUSB and got the same results.

I've tried IRPMon but was unable to get it working...

How can I help debug the issue?

antoniovazquezblanco commented 6 months ago

I would like to add to my previous statement that Wireshark correctly prepends a device descriptor and configuration in the capture but no further traffic is listed.

Sorry for the double posting.