52

From time to time, I need to dump USB traffic under Windows, mostly to support hardware under Linux, so my primary goal is to produce dump files for protocol analysis.

For USB traffic, it seems that SniffUsb is the clear winner... It works under Windows XP (but not later) and has a much nicer GUI than earlier versions. It produces huge dump files, but everything is there.

However, my device is in fact a USB serial device, so I turned to Portmon which can sniff serial port traffic without the USB overhead.

Samuel Liew
  • 76,741
  • 107
  • 159
  • 260
dpavlin
  • 1,372
  • 2
  • 9
  • 18

6 Answers6

19

After five years waiting, now it's possible to sniff usb packets on windows

See http://desowin.org/usbpcap/tour.html for a quick tour. It works pretty well

albfan
  • 12,542
  • 4
  • 61
  • 80
14

  1. Since people don't seem to realize it, Wireshark does monitor USB traffic and has a parser for it; but the catch is it only works under Linux. Wireshark on Windows will not do this.

  2. It may be possible to plug the USB device you want to monitor, along with a Linux machine (with Wireshark running) and your Windows machine and just use the USB device under Windows.

  3. Problem with the above? I don't know how the Linux machine or the Windows machine will detect each other.

Chiramisu
  • 4,687
  • 7
  • 47
  • 77
jamkomo
  • 157
  • 1
  • 2
  • 7
    USB uses a star topology with a single host per bus, I don't know how you expect to connect a linux box to a bus hosted by Windows, and even if you did, it wouldn't see traffic going to other devices (unless the linux box was a hub). – Ben Voigt Feb 20 '11 at 00:10
  • 7
    Wireshark can now sniff USB data on Windows machines too. – TafT Oct 20 '16 at 11:27
7

Busdog, an open source project hosted on github, has worked well for me. It has a driver it installs to allow it to monitor USB communications. The config window allows you to reinstall or remove the device at any time.

You can select the USB device you want from an enumerated list. A nice feature is to have it automatically trace a new device that is plugged in:

Enumerated USB devices

Data communications to and from an SWR analyzer I was reverse engineering were captured flawlessly:

USB-to-serial port communications captured

Kurt Fitzner
  • 595
  • 5
  • 14
  • In a quick test, BusDog unfortunately prevented an application from accessing the USB device, so there was no traffic for BusDog to sniff. – pmdj Sep 05 '21 at 12:52
6

USBSnoop works too - and is free.

Or, you could buy a USB to Ethernet converter and use whatever network sniffer you prefer to see the data.

Maxime
  • 8,645
  • 5
  • 50
  • 53
gbjbaanb
  • 51,617
  • 12
  • 104
  • 148
  • 1
    If you look at URL of SniffUsb, it includes USBSnoop because it's based on it :-) – dpavlin Sep 23 '08 at 19:49
  • 4
    A network sniffer and a usb-ethernet converter is only going to sniff ethernet. Because it's not converting the raw usb, it won't let you see the individual usb packets which is what a tool like usbsnoop will provide. – Andrew Edgecombe Sep 26 '08 at 10:54
3

Personally, I'd use QEMU or KVM and instrument their USB passthrough code, and then use libusb to prototype the replacement driver in user space (this latter bit I've done before; writing USB device drivers in Python is fun!).

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Charles Duffy
  • 280,126
  • 43
  • 390
  • 441
  • 4
    Under Linux you'd use Wireshark, no ned to profile code or anything so complicated. However read to the end of the question. – gbjbaanb Sep 22 '08 at 21:49
  • 2
    When did Wireshark sniff usb? We're not talking about Ethernet here. I know the questioner is asking about USB serial, but since the topic asks about USB sniffing in general, folks who find this question will expect an answer suitable to the overall topic. – Charles Duffy Sep 22 '08 at 23:35
  • Thnaks, as a next step I will probably try to run it under qemu or kvm. – dpavlin Sep 23 '08 at 19:59
  • 1
    Wireshark 1.10.0rc1 and above support USBPcap (detects existing install, or allows installing it). See high rated non-accepted answer by jamkomo, and followup comment stating that Wireshark can now do that on Windows. You may have to uninstall existing version--see https://osqa-ask.wireshark.org/questions/48789/usbpcap-tutorial – Poikilos Aug 29 '18 at 20:02
  • Many years later, I am interested how to use `QEMU` or `Docker` maybe for this, could you give me any place to start? – Mohammed Noureldin Jul 22 '19 at 18:49
  • @MohammedNoureldin, you can't use Docker for this -- it has to be qemu. Docker isn't virtualization or emulation, just a bunch of namespaces; it doesn't give you any hooks to sniff hardware's behavior you wouldn't have just running the software directly on the host. – Charles Duffy Jul 22 '19 at 19:27
2

Microsoft Message Analyzer was able to capture USB traffic, with Device and Log File parser from MS: link

Update: as mentioned by @facetus, MS Message Analyzer has been retired on November 25 2019.

Renat
  • 7,718
  • 2
  • 20
  • 34
  • 2
    It's been retired on November 25 2019, no replacement is available from Microsoft. Microsoft has removed all download links. An error message appears if you start already installed MMA after November 25 2019. – facetus Apr 14 '20 at 04:06