How to sniff a USB port under Windows?

D

6

54

From time to time, I need to dump USB traffic under Windows, mostly to support hardware under Linux, so my primary goal is to produce dump files for protocol analysis.

For USB traffic, it seems that SniffUsb is the clear winner... It works under Windows XP (but not later) and has a much nicer GUI than earlier versions. It produces huge dump files, but everything is there.

However, my device is in fact a USB serial device, so I turned to Portmon which can sniff serial port traffic without the USB overhead.

Drowse answered 22/9, 2008 at 20:39 Comment(8)

Was this a question then? – Kathlenekathlin 22/9, 2008 at 20:55

I imagine it was once a question, but that the user answered it himself, and edited that answer into the question instead of filing it as an answer. (Boo!) – Fanaticize 22/9, 2008 at 23:36

Portmon is Windows 3.2 or so, and doesn't support 64-bit. SniffUSB is not supported on Windows Vista or 7. – Losing 25/10, 2010 at 22:13

@Mike: Perhaps Procmon would be of use in such cases? – Edin 2/5, 2011 at 0:2

I wound up using VMWare's USB logger and Virtual USB Analyzer since I had Windows in a virtual machine already. – Losing 2/5, 2011 at 11:5

You can use USBPcap and Wireshark. – Planimeter 8/4, 2014 at 12:45

hackernoon.com/… – Gliwice 4/11, 2018 at 14:55

@Kathlenekathlin My Q was: How do I sniff USB serial on Windows? But you are right. Origin was an answer. – Norm 29/9, 2022 at 10:52

F

3

Personally, I'd use QEMU or KVM and instrument their USB passthrough code, and then use libusb to prototype the replacement driver in user space (this latter bit I've done before; writing USB device drivers in Python is fun!).

Fanaticize answered 22/9, 2008 at 21:46 Comment(6)

Under Linux you'd use Wireshark, no ned to profile code or anything so complicated. However read to the end of the question. – Antilogarithm 22/9, 2008 at 21:49

When did Wireshark sniff usb? We're not talking about Ethernet here. I know the questioner is asking about USB serial, but since the topic asks about USB sniffing in general, folks who find this question will expect an answer suitable to the overall topic. – Fanaticize 22/9, 2008 at 23:35

Thnaks, as a next step I will probably try to run it under qemu or kvm. – Drowse 23/9, 2008 at 19:59

Wireshark 1.10.0rc1 and above support USBPcap (detects existing install, or allows installing it). See high rated non-accepted answer by jamkomo, and followup comment stating that Wireshark can now do that on Windows. You may have to uninstall existing version--see osqa-ask.wireshark.org/questions/48789/usbpcap-tutorial – Finer 29/8, 2018 at 20:2

Many years later, I am interested how to use QEMU or Docker maybe for this, could you give me any place to start? – Yasukoyataghan 22/7, 2019 at 18:49

@MohammedNoureldin, you can't use Docker for this -- it has to be qemu. Docker isn't virtualization or emulation, just a bunch of namespaces; it doesn't give you any hooks to sniff hardware's behavior you wouldn't have just running the software directly on the host. – Fanaticize 22/7, 2019 at 19:27

F

20

After five years waiting, now it's possible to sniff usb packets on windows

See http://desowin.org/usbpcap/tour.html for a quick tour. It works pretty well

Feculent answered 12/9, 2014 at 5:2 Comment(0)

P

15

Since people don't seem to realize it, Wireshark does monitor USB traffic and has a parser for it; but the catch is it only works under Linux. Wireshark on Windows will not do this.
It may be possible to plug the USB device you want to monitor, along with a Linux machine (with Wireshark running) and your Windows machine and just use the USB device under Windows.
Problem with the above? I don't know how the Linux machine or the Windows machine will detect each other.

Pandurate answered 19/2, 2011 at 23:31 Comment(2)

USB uses a star topology with a single host per bus, I don't know how you expect to connect a linux box to a bus hosted by Windows, and even if you did, it wouldn't see traffic going to other devices (unless the linux box was a hub). – Preciado 20/2, 2011 at 0:10

Wireshark can now sniff USB data on Windows machines too. – Erickaericksen 20/10, 2016 at 11:27

A

7

Busdog, an open source project hosted on github, has worked well for me. It has a driver it installs to allow it to monitor USB communications. The config window allows you to reinstall or remove the device at any time.

You can select the USB device you want from an enumerated list. A nice feature is to have it automatically trace a new device that is plugged in:

Data communications to and from an SWR analyzer I was reverse engineering were captured flawlessly:

Ancelin answered 31/8, 2017 at 21:59 Comment(1)

In a quick test, BusDog unfortunately prevented an application from accessing the USB device, so there was no traffic for BusDog to sniff. – Tours 5/9, 2021 at 12:52

A

6

USBSnoop works too - and is free.

Or, you could buy a USB to Ethernet converter and use whatever network sniffer you prefer to see the data.

Antilogarithm answered 22/9, 2008 at 21:48 Comment(2)

If you look at URL of SniffUsb, it includes USBSnoop because it's based on it :-) – Drowse 23/9, 2008 at 19:49

A network sniffer and a usb-ethernet converter is only going to sniff ethernet. Because it's not converting the raw usb, it won't let you see the individual usb packets which is what a tool like usbsnoop will provide. – Phinney 26/9, 2008 at 10:54

F

3

Personally, I'd use QEMU or KVM and instrument their USB passthrough code, and then use libusb to prototype the replacement driver in user space (this latter bit I've done before; writing USB device drivers in Python is fun!).

Fanaticize answered 22/9, 2008 at 21:46 Comment(6)

Under Linux you'd use Wireshark, no ned to profile code or anything so complicated. However read to the end of the question. – Antilogarithm 22/9, 2008 at 21:49

When did Wireshark sniff usb? We're not talking about Ethernet here. I know the questioner is asking about USB serial, but since the topic asks about USB sniffing in general, folks who find this question will expect an answer suitable to the overall topic. – Fanaticize 22/9, 2008 at 23:35

Thnaks, as a next step I will probably try to run it under qemu or kvm. – Drowse 23/9, 2008 at 19:59

Wireshark 1.10.0rc1 and above support USBPcap (detects existing install, or allows installing it). See high rated non-accepted answer by jamkomo, and followup comment stating that Wireshark can now do that on Windows. You may have to uninstall existing version--see osqa-ask.wireshark.org/questions/48789/usbpcap-tutorial – Finer 29/8, 2018 at 20:2

Many years later, I am interested how to use QEMU or Docker maybe for this, could you give me any place to start? – Yasukoyataghan 22/7, 2019 at 18:49

@MohammedNoureldin, you can't use Docker for this -- it has to be qemu. Docker isn't virtualization or emulation, just a bunch of namespaces; it doesn't give you any hooks to sniff hardware's behavior you wouldn't have just running the software directly on the host. – Fanaticize 22/7, 2019 at 19:27

I

2

Microsoft Message Analyzer was able to capture USB traffic, with Device and Log File parser from MS: link

Update: as mentioned by @facetus, MS Message Analyzer has been retired on November 25 2019.

Independence answered 19/7, 2019 at 9:30 Comment(1)

It's been retired on November 25 2019, no replacement is available from Microsoft. Microsoft has removed all download links. An error message appears if you start already installed MMA after November 25 2019. – Montagnard 14/4, 2020 at 4:6

Recommended topics

Hot tags