usbpcap
usbpcap copied to clipboard
desowin
Can't Filter By Device / Port
I only want to trace this particular device (Port 11), but I only get the filter of "1". Is there some way to filter down to only port 11? I tried typing in 11 but I just get invalid input. When I ran the trace is dumped out 32 meg of data.
I went out and bought a USB hub because I thought I'd be able to filter:
But, it doesn't show up:
On top of this, it doesn't look like I can filter the outputted data in Wireshark by port:
I tried running wireshark like this: USBPcapCMD.exe -d \.\USBPcap2 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
But I just get this (no traffic)
I tried this
USBPcapCMD.exe -d \.\USBPcap2 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -"TREZOR Interface"
but get this error:
Note: I'm running the command line as administrator.
I tried this
"c:\program files\usbpcap\USBPcapCMD.exe" -d \.\USBPcap2 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -A
to get all devices but this error
I figured out how to filter down to the product like this:
However, it's only showing piece of transfer. I'm not sure if this is in or out. But, there should be at least one in, and one out. I know because the device worked correctly, and for it to work correctly, there would be several ins and outs.
Ok, it looks as though I was able to finally filter down the data when I found out the address. But, this is really clunky. Isn't there a better way? Have I done the right thing here? I still can't find the data I'm looking for. I think I've filtered out something that I need.
Using the USBPcap from commandline catures the traffic from all devices connected to the selected root hub. If you want to capture the traffic for a single device, the recommented way is to use the USBPcapCMD.exe as an extcap. When using USBPcap as extcap, you can select the devices to capture on and start/stop the capture from the Wireshark GUI.
When using USBPcap as extcap, you can select the devices to capture on and start/stop the capture from the Wireshark GUI.
This just doesn't work. At least a USB mouse connected to the same hub floods into the capture even if an another device is captured.
When using USBPcap as extcap, you can select the devices to capture on and start/stop the capture from the Wireshark GUI.
This just doesn't work. At least a USB mouse connected to the same hub floods into the capture even if an another device is captured.
Are you using Wireshark 3.0.2 and USBPcap 1.4.0.0? What are the commandline arguments Wireshark calls USBPcap with? Did you uncheck the capture from all devices option?
Are you using Wireshark 3.0.2
yes.
USBPcap 1.4.0.0
now 1.5.0.0 with the same effect
What are the commandline arguments Wireshark calls USBPcap with?
USBPcapCMD.exe --capture --extcap-interface \\.\USBPcap1 --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 --capture-from-all-devices --devices 2 --inject-descriptors --capture-from-new-devices
USBPcapCMD.exe --capture --extcap-interface \\.\USBPcap1 --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 --capture-from-all-devices --devices 2 --inject-descriptors --capture-from-new-devices
This clearly shows that the "Capture from all devices connected" (tooltip: Capture from all devices connected despite other options) is set. When the option is not set, the "--capture-from-all-devices" is not present on the commandline. Either your system experiences some strange Wireshark bug (there were problems with extcap options, but these should be fixed in 3.0.2) or you have the checkbox ticked.
Thanks. That option really was enabled. Disabled that, worked as intended.
@desowin Could you tell me how to use USBPcapCMD as extcap in more detail?
Copy USBPcapCMD.exe to C:\Program Files\Wireshark\extcap then start Wireshark. USBPcap interfaces should then be visible in the interfaces list. Click on the icon next to the USBPcap interface to set capture options.
@desowin Thanks. I need to capture only a specific USB device like this link. So, I run the following command:
USBPcapCMD.exe --capture --extcap-interface \\.\USBPcap1 --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 --devices 2 --inject-descriptors --capture-from-new-devices
But I got the following error:
Thread started with invalid write handle!
I think that the pipe parameter --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 is wrong.
Please help.
FYI: @KOLANICH, if you help me, I'll be very thankful.
Thanks. That option really was enabled. Disabled that, worked as intended.
@KOLANICH I need to capture the USB packets from a specific USB device. So, I should use the following command provided by you:
USBPcapCMD.exe --capture --extcap-interface \\.\USBPcap1 --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 --devices 2 --inject-descriptors --capture-from-new-devices
Could you let me know how to create the pipe like --fifo \\.\pipe\wireshark_extcap_\\.\USBPcap1_20190618125930 in Wireshark?
Wireshark creates the pipe using CreateNamedPipe function. Check extcap_create_pipe() in https://gitlab.com/wireshark/wireshark/-/blob/master/extcap.c#L1498
@desowin Thanks for your reply. To create the named pipe in Wireshark, shall I modify the source code? Or which feature shall I use?
@desowin Thanks for your reply. To create the named pipe in Wireshark, shall I modify the source code? Or which feature shall I use?
Just start Wireshark, it should do everything. I thought you were writing your own application that invoked USBPcapCMD.
@desowin Thanks.
When running USBPcapCMD.exe in the command prompt, I see several devices in \\.\USBPcap1.
I need to capture a specific USB device with USBPcap.
@KOLANICH described the method in this link. But I got the following error:
Thread started with invalid write handle!
@desowin So, I hope you let me know how to capture a specific device with USBPcap.
@myjimmy @MelbourneDeveloper
Maybe it's easier the use to Filters in Wireshark like: usb.src == "1.2.1" or usb.dst == "1.2.1" <- insert your USB Device Address
