Drivers Usbcap

/ Comments off



This page is about capturing raw USB traffic, e.g. the packets a USB mouse will generate on the Universal Serial Bus.

USB attached network interfaces. A special case are network interfaces connected to a host computer through an USB cable. The operating system 'converts' the raw USB packets into the network traffic (e.g. Ethernet packets) and provides a network interface that looks like an ordinary network interface. USBPcap open source USB sniffer for Windows. USB Packet capture for Windows Tour. This short tour assumes you have installed the latest version of USBPcap and Wireshark 1.10.0rc1 (or newer) and rebooted your system. This package contains the files needed for installing the EasyCap 4CH USB Video Capture Dongle Driver. If it has been installed, updating (overwrite-installing) may fix problems, add new functions. GloryTimes Alexandre Kadjaiev Compro Technolygy USBCap MorningSound Soft John Shield/O Deus Audio sylc SKY-DMB MiniStickX Device 10Moons SAA7134 Video WDM driver Share us Update PC Drivers Automatically Identify & Fix Unknown Devices Designed for Windows 8, 7, Vista, XP. Video capture device usually use drivers and software to record audio and video. Both the drivers and the software can be found on the product page under the Support tab. Different software will have different features so it’s a good idea to review the software to make sure it is a good fit for your intended usage.

Table of contents

Contents

  1. USB capture setup

USB attached network interfaces

A special case are network interfaces connected to a host computer through an USB cable. The operating system 'converts' the raw USB packets into the network traffic (e.g. Ethernet packets) and provides a network interface that looks like an ordinary network interface. So you can capture from:

  • the USB device for raw USB traffic (if supported)
  • the network device for 'normal' network packets

The USB bus will add additional overhead, so the raw USB traffic will have higher volume than the network traffic, even if the only active USB devices on the system are network adapters. (If there are other active USB devices, the raw USB traffic will include traffic to and from those devices, so it will obviously have higher volume than Ethernet traffic.)

Linux

Capturing USB traffic on Linux is possible since Wireshark 1.2.0, libpcap 1.0.0, and Linux 2.6.11, using the Linux usbmon interface.

First, check if you belong to the wireshark group with:

  • groups $USER

To add yourself to the wireshark group, run the below command, then logout and login.

  • sudo adduser $USER wireshark

Then ensure that non-superusers are allowed to capture packets in wireshark. Select <Yes> in the below prompt:

  • sudo dpkg-reconfigure wireshark-common

The next two commands may need to be re-run after every reboot:

To dump USB traffic on Linux, you need the usbmon kernel module. If it is not loaded yet, run this command as root:

  • modprobe usbmon

To give regular users privileges, make the usbmonX device(s) readable:

  • sudo setfacl -m u:$USER:r /dev/usbmon*

On some Linux distributions (Arch Linux, Debian, Ubuntu, possibly others), the above command may not be necessary if you already belong to the wireshark group. See CaptureSetup/CapturePrivileges#Most_UNIXes.

With Linux kernels prior to 2.6.23, you will also need to run this command as root:

  • mount -t debugfs none /sys/kernel/debug

and, with those kernels, the usbmon mechanism's protocol limits the total amount of data captured for each raw USB block to about 30 bytes. With a 2.6.23 or later kernel, and libpcap 1.1.0 and later, that size limitation is removed. Use uname -r to check your kernel version.

In libpcap 1.1.0 and later, the devices on which you can capture are named usbmonX, where X is the USB bus number. On Linux 2.6.22 and later, the special 'usbmon0' interface receives a combined stream of events from all USB buses. In libpcap 1.0.x, the devices were named usbX.

Simple MITM hardware with Linux

Drivers Usb Para Windows 10

If the USB host is a black-box device such as a game console and you cannot capture USB traffic on the host's operating system, here are two DIY-projects that help you build a simple MITM device to intercept and relay USB messages on the USB cable.

  • SerialUSB

    • is designed to intercept USB HID traffic. Originally made for the GIMX project (which lets you connect PC game controllers to the PS4 by converting the HID protocol messages). You will need a Linux computer to capture the HID messages and an Arduino-based USB dongle. Parts are cheap. If you don't like soldering, you can buy ready-made 'GIMX USB adapters' from the developer and from enthusiasts on eBay and elsewhere.

  • USBProxy

    • intercepts USB traffic with a standalone Beaglebone Black, which is reconfigured to act as a USB gadget emulating the device connected to the 2nd USB port. Unlike SerialUSB, this solution works with higher-speed non-HID USB traffic as well (within the hardware limitations of the Beaglebone device).

macOS

Capturing USB traffic on macOS is possible since Wireshark 2.4.0, libpcap 1.9.0, and macOS High Sierra, using the XHC20 interface.

In order to capture on that interface, you will first have to run the command

  • ifconfig XHC20 up

as root, for example by running

  • sudo ifconfig XHC20 up

In macOS Catalina, you apparently have to disable System Integrity Protection to capture USB traffic.

Windows

You can capture raw USB traffic on Windows with USBPcap. The Tools page lists some other options for Windows USB capture.

A word of warning about USBPcap

There have been problems with using USBPcap in the past, and while these problems should be resolved now, you may wish to familiarize yourself with these earlier problems, in the event you are still affected by it.

  • Wireshark Bug 11766 - USBPcap prevents mouse and keyboard from working

  • USBPcap Issue #3 - Windows 7 - USB bus not recognized after restart after USBPcap installation

  • Microsoft Security Advisory 3033929 - Availability of SHA-2 Code Signing Support for Windows 7 and Windows Server 2008 R2

You can also capture and debug USB traffic on a virtual Windows machine under VirtualBox. In some ways this is more convenient than working with a separate Windows box.

In this example, an embedded Linux device running g_ether (RNDIS ethernet gadget) connects to Windows. e.g. an NSLU2 with a USB slave modification http://www.nslu2-linux.org/wiki/HowTo/AddDeviceSideUSBPort but it should work for almost any USB device.

With this method, Linux recognises the USB device (i.e. >lsusb will still show them), but VirtualBox hooks it into Windows but Wireshark on linux still gets to snoop on all the packets.

Steps:

1. Install a VirtualBox Windows guest on your Linux host. Start up the virtual Windows session.

2. Plug-in the embedded slave device via a USB cable, which itself should be either a device Windows already knows about (or in this case it was running a valid g_ether gadget stack and needed a .inf file)

3. Run >lsusb and take a note of which bus the device connects.

  • e.g
  • 'Bus 003 Device 003: ID 0525:a4a2 Netchip Technology, Inc. Linux-USB Ethernet/RNDIS Gadget'

4. On linux side,run >ifconfig usb0 down - this prevents both the linux system and the windows system from fighting over the device

5. On the Windows virtual machine, on VirtualBox menus click the checkbox

  • [Devices]->Usb devices>[x]Your device

  • to let windows see the USB device.

6. Now Windows should recognise the device and proceed with the 'plug-and-pray' session for driver initialisation.

  • I worked from the instructions on http://docwiki.gumstix.org/index.php/Windows_XP_usbnet to install the driver.

7. In this example, I had to set up the networking options for IP address, Gateway etc on Windows to match the IP network on the gadget but for other USB device types there will be no extra setup. In any case this is just normal Windows behavior.

Usb

8. On Linux, startup Wireshark and using the Bus number given earlier from >lsusb command to sniff for packets.

Hints for developing something like a Windows native 'USBPcap': a kernel mode filter device driver has to be written. An older Driver Development Kit (DDK) is available which at least can compile kernel mode binaries. The most important functions to install the filter driver are CreateService() and SetupDiSetDeviceRegistryProperty() function with SPDRP_LOWERFILTERS parameter.

Driver Usbpcap

Discussion

Why was the note about inaccurate time stamps removed?!? - UlfLamping

The timestamps should be ok now since libpcap works around the issue by explicitly calling gettimeofday()- ronnie

Well, the inaccuracies I had in mind was about the 'delta' involved between the data is received from the USB device and actually timestamped from the kernel. This delta will be substantially lower for e.g. PCI based nic's than for USB ones - and should be mentioned. Or am I just wrong on this topic and this can be ignored - which should be mentioned then too? - UlfLamping

There's 'capturing on USB-attached networking interfaces' and there's 'capturing USB traffic'; this page is for the latter, but it sounds as if the time stamp delta is an issue for the former. - Guy Harris

See Also

  • Capturing on Ethernet Networks

  • Capturing on 802.11 Wireless Networks

  • Capturing on Token Ring Networks

  • Capturing on VLAN Protected Networks

  • Capturing on PPP Networks

  • Capturing on the Loopback Device

  • Capturing on Frame Relay Networks

  • Capturing DOCSIS Traffic

  • Capturing Bluetooth Traffic

  • Capturing on ATM Networks

  • Capturing IrDA Traffic

  • Capturing on Cisco HDLC Networks

  • Capturing SS7 Traffic

  • CategoryHowTo

-->

The USBSAMP sample demonstrates how to perform full speed, high speed, and SuperSpeed transfers to and from bulk and isochronous endpoints of a generic USB device. USBSAMP is based on the Kernel Mode Driver Framework (KMDF). Superspeed bulk and isochronous transfers only work when the Microsoft USB 3.0 stack is loaded.

The sample also contains a console test application that initiates bulk (including stream) and isochronous transfers and obtains data from the device's I/O endpoints. The application also demonstrates how to use GUID-based device names and pipe names generated by the operating system using the SetupDiXXX user-mode APIs.

For information about USB, see Universal Serial Bus (USB) Drivers.

Universal Windows Driver Compliant

This sample builds a Universal Windows Driver. It uses only APIs and DDIs that are included in OneCoreUAP.

Hardware requirements

The sample driver can be loaded as the function driver for any of these devices:

  • OSR FX2 learning kit. You can get the kit from OSR Online. For more information, see the specification for the OSR USB FX-2 Learning Kit
  • MUTT devices. To order those devices, see How to get MUTT devices.
  • Intel 82930 USB test board.

If you have a different USB device, you can still use the driver by adding the device's hardware ID to the INX file. Note that the data transfer scenarios will work only with the endpoints supported by the device.

Set the configuration and platform in Visual Studio

In Visual Studio, in Solution Explorer, right click Solution 'usbsamp' (3 projects), and choose Configuration Manager. Set the configuration and the platform. Make sure that the configuration and platform are the same for both the driver project and the package project. Do not check the Deploy boxes.

Build the sample using Visual Studio

Driver Usb Camera Windows 10

In Visual Studio, on the Build menu, choose Build Solution.

For more information about using Visual Studio to build a driver package, see Building a Driver with Visual Studio and the WDK.

Locate the built driver

In File Explorer, navigate to the folder that contains your built driver package. The location of this folder varies depending on what you set for configuration and platform. For example, if your settings are Debug and x64, the driver is in your solution folder under sysdriverDebugusbsamp.

The driver folder contains these files:

FileDescription
usbsamp.sysThe driver file
usbsamp.infAn information (INF) file that contains information needed to install the driver.
kmdfsamples.catA signed catalog file, which serves as the signature for the entire package.

Run the sample

The computer where you install the driver is called the target computer or the test computer. Typically this is a separate computer from where you develop and build the driver package. The computer where you develop and build the driver is called the host computer.

The process of moving the driver package to the target computer and installing the driver is called deploying the driver. You can deploy the USBSAMP sample automatically or manually.

Automatic deployment

Before you automatically deploy a driver, you must provision the target computer. For instructions, see Provision a computer for driver deployment and testing (WDK 10).

  1. On the host computer, in Visual Studio, in Solution Explorer, right click package (lower case), and choose Properties. Navigate to Configuration Properties > Driver Install > Deployment.

  2. Check Enable deployment, and check Remove previous driver versions before deployment. For Target Computer Name, select the name of a target computer that you provisioned previously. Select Install and Verify. Click OK.

  3. On the Build menu, choose Deploy Package or Build Solution.

Drivers Usb Cable

Manual deployment

Before you manually deploy a driver, you must turn on test signing and install a certificate on the target computer. You also need to copy the DevCon tool to the target computer. For instructions, see Preparing a Computer for Manual Driver Deployment.

  1. Copy all of the files in your driver package to a folder on the target computer (for example, c:Usbsamp).

  2. On the target computer, open a Command Prompt window as Administrator. Navigate to your driver package folder, and enter the following command:

    devcon install usbsamp.inf USBVID_045E&PID_078F

View the device in Device Manager

On the target computer, in a Command Prompt window, enter devmgmt to open Device Manager. In Device Manager, on the View menu, choose Devices by type. In the device tree, locate the device. For example the device name might be WDF Sample for FX2 MUTT device under theSample Device node.

Build the sample using MSBuild

Drivers Usb Pour Dell

Drivers usb para windows 10Driver

As an alternative to building the USBSAMP sample in Visual Studio, you can build it in a Visual Studio Command Prompt window. In Visual Studio, on the Tools menu, choose Visual Studio Command Prompt. In the Visual Studio Command Prompt window, navigate to the folder that has the solution file, Usbsamp.sln. Use the MSBuild command to build the solution. Here are some examples:

For more information about using MSBuild to build a driver package, see Building a Driver with Visual Studio and the WDK.

Testing the sample

The sample includes a test application, usbsamp.exe. This console application enumerates the interface registered by the driver and opens the device to send Read, Write, or DeviceIoControl requests based on the command line options. To test the sample,

Driver Usbpcap

  1. In Visual Studio, choose Solution Explorer from the View menu. Locate the application project named usbsamp, under the Exe folder.

  2. Right-click and choose Build. For example, if your settings are Debug and x64, the application executable is in your solution folder under the exeDebugusbsamp.exe.

  3. Run the executable on the target machine.

  • To view all descriptors and endpoint information, use the following command.

    usbsamp.exe -u

    You can use the preceding command to view pipe numbers for read and write requests.

  • To send a Read-Write request, use the following command.

    usbsamp.exe -r 1024 -w 1024 -c 100 -v

    The preceding command first writes 1024 bytes of data to bulk out endpoint (pipe 1), then reads 1024 bytes from bulk in endpoint (pipe 0), and compares the read buffer with write buffer to see if they match. If the buffer contents match, it performs this operation 100 times.

  • To send Read-Write requests to bulk endpoints, use any of the following commands, simultaneously. If Read-Write requests are sent to a SuperSpeed bulk endpoint with streams, the sample driver always uses the first underlying stream associated with that endpoint. The driver is multi-thread safe so it can handle multiple requests at a time.

    usbsamp.exe -r 65536

    The preceding command reads 65536 bytes from pipe 0.

    usbsamp.exe -w 65536

    The preceding command writes 65536 bytes to pipe 1.

    usbsamp.exe -r 65536 -i pipe02

    The preceding command reads 65536 bytes from pipe 2.

    usbsamp.exe -w 65536 -o pipe03

    The preceding command writes 65536 bytes to pipe 3.

  • To send Read and Write requests to isochronous endpoints you can use one or more of these commands simultaneously.

    usbsamp.exe -r 512 -i pipe04

    The preceding command reads 512 bytes from pipe 4.

    usbsamp.exe -w 512 -o pipe05

    The preceding command writes 512 bytes to pipe 5.

    usbsamp.exe -w 1024 -o pipe05 -r 1024 -i pipe04 -c 100 -v

    The preceding command writes 1024 bytes to pipe 5, then reads 1024 bytes from pipe 4, and compares the buffers to see if they match. If the buffer contents match, it performs this operation 100 times.

  • To skip validation of the data to be read or written in a particular request, use the command with -x option as follows:

    usbsamp.exe -r 1024 -w 1024 -c 100 -x