usbpcap icon indicating copy to clipboard operation
usbpcap copied to clipboard

Published 20 hours ago verified publisher icon desowin

Can't capture packets from one device

Open jonri opened this issue 10 years ago • 7 comments

I've got a USB device that I can't seem to capture any packets from. If I capture from option 1 below, I get a 24-byte .pcap file which Wireshark says is empty. If I capture from option 2, the file fills up as expected. I'm on Windows 7 64-bit, running from an admin cmd prompt. My version is 1.0.0.7, I haven't tried to mess with compiling from Git yet. What can I do to debug this?

C:\Program Files\USBPcap>USBPcapCMD.exe
Following filter control devices are available:
1 \\.\USBPcap1
  \??\USB#ROOT_HUB20#4&35fa9cd2&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
    [Port 1] Generic USB Hub
      [Port 2] Sigma Designs USB Device
2 \\.\USBPcap2
  \??\USB#ROOT_HUB20#4&12de2100&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
    [Port 1] Generic USB Hub
      [Port 2] USB Composite Device
        USB 2.0 UVC 0.3M WebCam
Select filter to monitor (q to quit): 1
Output file name (.pcap): usb.pcap

jonri avatar Nov 21 '14 04:11 jonri

I understand that you cannot capture from Sigma Designs USB Device, right? What does this device do?

Do you have access to Windows 7 32-bit? You could use the IrpTracker [1] to check what the driver sends and how.

[1] http://www.osronline.com/article.cfm?article=199

desowin avatar Nov 21 '14 12:11 desowin

Yes... It's a video capture device.

I think I've got a Vista 32-bit install DVD lying around somewhere, it's going to be a bit of a pain to get it set up though. Is there anything else I should try from usbpcap in the meantime?

jonri avatar Nov 21 '14 19:11 jonri

I'm having a similar problem (probably the same issue). I can see my Razer Ripsaw in the device list, but no data gets captured from it.

To try to work around the issue, I tried using the device from inside a VirtualBox virtual machine. When done this way, USBPcap (on the host) can see the data, and appears to record it properly. However, the device doesn't work properly in this setup (possibly due to VirtualBox not supporting some type of USB message), so the data I get from the capture isn't all that useful.

LRFLEW avatar Feb 25 '18 01:02 LRFLEW

Same here with USBPcap 1.2.0.4 and USB ADSL WAN Modem (D-Link DSL-200 Generation III). Had tried on windows 10 x64, windows 7 x64, windows xp x32. I can capture other usb devices exept modem. On windows xp I was able to capture with usbsnoop 1.8. On windows 10 logman or Message Analyzer can do this but lacking payload for control out transfer (exactly what I'm looking for) even with FullDataBusTrace option enabled.

USBPcapCMD windows 10 x64

Following filter control devices are available:
1 \\.\USBPcap1
  \??\USB#ROOT_HUB20#4&3bc5fdf&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
    [Port 1] Generic USB Hub
      [Port 2] Qualcomm Atheros AR3012 Bluetooth(R) Adapter
      [Port 3] USB Composite Device
        USB2.0 Camera
2 \\.\USBPcap2
  \??\USB#ROOT_HUB30#4&1e8aefda&0&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
3 \\.\USBPcap3
  \??\USB#ROOT_HUB20#4&1501d67&0#{f18a0e88-c30c-11d0-8815-00a0c906bed8}
    [Port 1] Generic USB Hub
      [Port 2] D-Link USB ADSL WAN Modem
      [Port 4] HID-compliand device
        HID-compliant mouse
Select filter to monitor (q to quit):

I can capture HID-compliant mouse well but not the modem.

IRPMon

I found IRPMon is similar to IrpTracker and works on x64.

  1. Here usbhub communicating with pdo8 (modem):

usbhub_pdo8 modem _hooked-irpmon usbhub_pdo8(modem)_hooked-IRPMon.log

  1. Here \Driver\wanusb+\Device\ADSLUSB:

wanusb_adslusb_hooked-irpmon IRPMon shows empty log.

  1. Just to compare I captured \Driver\HidUsb+\Device\63 (mouse):

hidusb_device0x63 mouse _hooked_irpmon hidusb_device0x63(mouse)_hooked_IRPMon.log

  1. Next I followed @LRFLEW 's comment and started a windows XP VirtualBox machine (without wanusb driver installed). Set up hooks \Driver\wanusb+\Device\ADSLUSB and clicked to connect modem to the guest machine. All messages captured was a single IRQL = Passive, Type = Unload I also captured packets with USBPcap through Wireshark host_capture_forwarded_modem.pcapng.gz After disabling guest usb forwarding it shows some initialisation hub requests on host but then any further messages stops. Meanwhile modem is getting start up and doing DSL line synchronisation, wich means wanusb driver is working now. I had also tried to install drivers on the guest and sniff from the host but modem cannot work correctly in this setup (cannot get DSL line synchronisation). Now IRPMon shows this: vbox_usb_forwarding

My knowledge on internals is small so if you would suggest me where to dig I can provide more information. Sorry for my crooked English.

iDawer avatar Dec 05 '18 14:12 iDawer

USBPcap 1.4.0.0 logs unhandled URB Functions with the type URB_UNKNOWN (0xFF). Could you please check if there are any of such packets logged when using USBPcap 1.4.0.0?

desowin avatar May 29 '19 05:05 desowin

I believe I am facing this same bug. I am running USBPcap 1.5.4.0 along Wireshark and I cannot see traffic of my "Intel(R) Wireless Bluetooth(R)" in the same bus as many other devices which I can clearly monitor.

I have tried to switch my device driver to WinUSB and got the same results.

I've tried IRPMon but was unable to get it working...

How can I help debug the issue?

antoniovazquezblanco avatar Jan 16 '24 15:01 antoniovazquezblanco

I would like to add to my previous statement that Wireshark correctly prepends a device descriptor and configuration in the capture but no further traffic is listed.

Sorry for the double posting.

antoniovazquezblanco avatar Jan 16 '24 15:01 antoniovazquezblanco