search

desowin / usbpcap

USB packet capture for Windows
http://desowin.org/usbpcap
902 stars 170 forks source link

Can't Filter By Device / Port #64

Open MelbourneDeveloper opened 5 years ago

MelbourneDeveloper commented 5 years ago

I only want to trace this particular device (Port 11), but I only get the filter of "1". Is there some way to filter down to only port 11? I tried typing in 11 but I just get invalid input. When I ran the trace is dumped out 32 meg of data.

image

MelbourneDeveloper commented 5 years ago

I went out and bought a USB hub because I thought I'd be able to filter:

image

But, it doesn't show up:

image

MelbourneDeveloper commented 5 years ago

On top of this, it doesn't look like I can filter the outputted data in Wireshark by port:

image

MelbourneDeveloper commented 5 years ago

I tried running wireshark like this: USBPcapCMD.exe -d \.\USBPcap2 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

But I just get this (no traffic) image

MelbourneDeveloper commented 5 years ago

I tried this

USBPcapCMD.exe -d \.\USBPcap2 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -"TREZOR Interface"

but get this error:

image

Note: I'm running the command line as administrator.

MelbourneDeveloper commented 5 years ago

I tried this

"c:\program files\usbpcap\USBPcapCMD.exe" -d \.\USBPcap2 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -A

to get all devices but this error

image

MelbourneDeveloper commented 5 years ago

I figured out how to filter down to the product like this:

image

However, it's only showing piece of transfer. I'm not sure if this is in or out. But, there should be at least one in, and one out. I know because the device worked correctly, and for it to work correctly, there would be several ins and outs.

MelbourneDeveloper commented 5 years ago

Ok, it looks as though I was able to finally filter down the data when I found out the address. But, this is really clunky. Isn't there a better way? Have I done the right thing here? I still can't find the data I'm looking for. I think I've filtered out something that I need.

image

desowin commented 5 years ago

Using the USBPcap from commandline catures the traffic from all devices connected to the selected root hub. If you want to capture the traffic for a single device, the recommented way is to use the USBPcapCMD.exe as an extcap. When using USBPcap as extcap, you can select the devices to capture on and start/stop the capture from the Wireshark GUI.

KOLANICH commented 5 years ago

When using USBPcap as extcap, you can select the devices to capture on and start/stop the capture from the Wireshark GUI.

This just doesn't work. At least a USB mouse connected to the same hub floods into the capture even if an another device is captured.

desowin commented 5 years ago

When using USBPcap as extcap, you can select the devices to capture on and start/stop the capture from the Wireshark GUI.

This just doesn't work. At least a USB mouse connected to the same hub floods into the capture even if an another device is captured.

Are you using Wireshark 3.0.2 and USBPcap 1.4.0.0? What are the commandline arguments Wireshark calls USBPcap with? Did you uncheck the capture from all devices option?

KOLANICH commented 5 years ago

Are you using Wireshark 3.0.2

yes.

USBPcap 1.4.0.0

now 1.5.0.0 with the same effect

What are the commandline arguments Wireshark calls USBPcap with?

USBPcapCMD.exe --capture --extcap-interface \\.\USBPcap1 --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 --capture-from-all-devices --devices 2 --inject-descriptors --capture-from-new-devices
desowin commented 5 years ago 
USBPcapCMD.exe --capture --extcap-interface \\.\USBPcap1 --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 --capture-from-all-devices --devices 2 --inject-descriptors --capture-from-new-devices

This clearly shows that the "Capture from all devices connected" (tooltip: Capture from all devices connected despite other options) is set. When the option is not set, the "--capture-from-all-devices" is not present on the commandline. Either your system experiences some strange Wireshark bug (there were problems with extcap options, but these should be fixed in 3.0.2) or you have the checkbox ticked.

KOLANICH commented 5 years ago

Thanks. That option really was enabled. Disabled that, worked as intended.

myjimmy commented 3 years ago

@desowin Could you tell me how to use USBPcapCMD as extcap in more detail?

desowin commented 3 years ago

@desowin Could you tell me how to use USBPcapCMD as extcap in more detail?

Copy USBPcapCMD.exe to C:\Program Files\Wireshark\extcap then start Wireshark. USBPcap interfaces should then be visible in the interfaces list. Click on the icon next to the USBPcap interface to set capture options.

myjimmy commented 3 years ago

@desowin Thanks. I need to capture only a specific USB device like this link. So, I run the following command:

USBPcapCMD.exe --capture --extcap-interface \\.\USBPcap1 --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 --devices 2 --inject-descriptors --capture-from-new-devices

But I got the following error:

Thread started with invalid write handle!

image

I think that the pipe parameter --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 is wrong. Please help.

FYI: @KOLANICH, if you help me, I'll be very thankful.

myjimmy commented 3 years ago

Thanks. That option really was enabled. Disabled that, worked as intended.

@KOLANICH I need to capture the USB packets from a specific USB device. So, I should use the following command provided by you:

USBPcapCMD.exe --capture --extcap-interface \\.\USBPcap1 --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 --devices 2 --inject-descriptors --capture-from-new-devices

Could you let me know how to create the pipe like --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 in Wireshark?

desowin commented 3 years ago

Wireshark creates the pipe using CreateNamedPipe function. Check extcap_create_pipe() in https://gitlab.com/wireshark/wireshark/-/blob/master/extcap.c#L1498

myjimmy commented 3 years ago

@desowin Thanks for your reply. To create the named pipe in Wireshark, shall I modify the source code? Or which feature shall I use?

desowin commented 3 years ago

@desowin Thanks for your reply. To create the named pipe in Wireshark, shall I modify the source code? Or which feature shall I use?

Just start Wireshark, it should do everything. I thought you were writing your own application that invoked USBPcapCMD.

myjimmy commented 3 years ago

@desowin Thanks. When running USBPcapCMD.exe in the command prompt, I see several devices in \\.\USBPcap1. image

I need to capture a specific USB device with USBPcap.

@KOLANICH described the method in this link. But I got the following error:

Thread started with invalid write handle!

image

@desowin So, I hope you let me know how to capture a specific device with USBPcap.

pixeldoc2000 commented 2 years ago

@myjimmy @MelbourneDeveloper
Maybe it's easier the use to Filters in Wireshark like: usb.src == "1.2.1" or usb.dst == "1.2.1" <- insert your USB Device Address