Serial Port Monitor displays. Windows Products Software solutions for monitoring and remote work with Serial and USB port devices Explore all products.
From time to time, I need to dump USB traffic under Windows, mostly to support hardware under Linux, so my primary goal is to produce dump files for protocol analysis.
- At the moment I am using usbmon to sniff usb. For better understandability I want to use wireshark. I've used wireshark before for sniffing ethernet packets. But what to capture to sniff USB Packet.
- Display Filter Reference: USB. Protocol field name. Versions: 1.0.0 to 2.6.2 Back to Display Filter Reference. Riverbed is Wireshark's primary.
- USB Packet capture for Windows Tour. This short tour assumes you have installed the latest version of USBPcap and Wireshark 1.10.0rc1.
For USB traffic, it seems that SniffUsb is the clear winner... It works under Windows XP (but not later) and has a much nicer GUI than earlier versions. It produces huge dump files, but everything is there.
However, my device is in fact a USB serial device, so I turned to Portmon which can sniff serial port traffic without the USB overhead.
Samuel Liew♦6 Answers
Personally, I'd use QEMU or KVM and instrument their USB passthrough code, and then use libusb to prototype the replacement driver in user space (this latter bit I've done before; writing USB device drivers in Python is fun!).
Peter MortensenWireshark Download
Charles DuffySince people don't seem to realize it, Wireshark does monitor USB traffic and has a parser for it; but the catch is it only works under Linux. Wireshark on Windows will not do this.
It may be possible to plug the USB device you want to monitor, along with a Linux machine (with Wireshark running) and your Windows machine and just use the USB device under Windows.
Problem with the above? I don't know how the Linux machine or the Windows machine will detect each other.
After five years waiting, now it's possible to sniff usb packets on windows
See http://desowin.org/usbpcap/tour.html for a quick tour. It works pretty well
albfanWireshark Usb Ethernet Adapter
albfanUSBSnoop works too - and is free.
Or, you could buy a USB to Ethernet converter and use whatever network sniffer you prefer to see the data.
MaximeBusdog, an open source project hosted on github, has worked well for me. It has a driver it installs to allow it to monitor USB communications. The config window allows you to reinstall or remove the device at any time.
You can select the USB device you want from an enumerated list. A nice feature is to have it automatically trace a new device that is plugged in:
Data communications to and from an SWR analyzer I was reverse engineering were captured flawlessly:
Microsoft Message Analyzer can capture USB traffic as well, if download Device and Log File parser from MS: link
RenatRenatprotected by Community♦Jul 6 '14 at 17:09
Thank you for your interest in this question. Because it has attracted low-quality or spam answers that had to be removed, posting an answer now requires 10 reputation on this site (the association bonus does not count).
Would you like to answer one of these unanswered questions instead?
Not the answer you're looking for? Browse other questions tagged windowsusbsniffingusbserial or ask your own question.
at the moment I am using usbmon to sniff usb. for better understandability I want to use wireshark. I've used wireshark before for sniffing ethernet packets. But what to capture to sniff USB Packets ? I meant I need to start by selecting which interface to capture in wireshark. but what wold I select there for usb ?
Neel BasuWireshark Serial
Neel Basu4 Answers
Grab newest wireshark.Use lsusb before and after plugin in device so You know which usb bus its plugged into.
type in terminal:
(First load kernel module that allow for usb sniffing for root, second load wireshark as root)
Than select usbmonX, where X stand for usb bus number (lsusb show those numbers).
After than you still need to filter packets for device / vendor id, or something else device specific, as wireshark will show all packets from all devices plugged into that bus. (Again lsusb before/after plugging you device will help).
Have you taken a look at the documentation for that on the Wireshark website?
In libpcap 1.0.x, the devices for capturing on USB have the name usbn, where n is the number of the bus. In libpcap 1.1.0 and later, they have the name usbmonn.
a quick notice since I just started using wireshark to sniff usb packets on linux. as I understand you need usbmon module loaded (which if you are using it should be). Additionally I seem to recall that while wireshark can be setup to let non root users sniff ethernet packets, some limitation required root access for usb packs (at least at the time of writting).Similar to what others have said, on my system, Ubuntu 12.10, the usb interfaces have names like 'usbmon1 USB bus number 1' and so forth.(you might look at http://biot.com/blog/usb-sniffing-on-linux)the link listed has an image showing a filter which can be used to select only traffic to from a device number (from lsusb).
I hope thats helpful
Wireshark Rs232
@przemo_li You want to filter by device address to see the communication from both the host and the device. The filter for that is usb.device_address .