This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello,

So Wireshark 2.0.1 was released recently and I was wondering if there are any tutorials on how to use the USBpcap feature on Wireshark. I would highly appreciate it if you guys can provide me with some information.

Thank you and Happy New Year!

asked 01 Jan '16, 17:18

Karanza's gravatar image

Karanza
11224
accept rate: 0%


First of all, you have to uninstall any previously installed version of USBPcap, and install the USBPcap which comes along with Wireshark while installing Wireshark itself. After installation, you may want to check whether USBPcapCMD.exe exists in extcap subdirectory of your C:\Program Files\Wireshark (or wherever else you may have installed Wireshark if you haven't used the default directory).

If this is the case, you should find as many USBPcapn items in your list of capture interfaces as your machine offers USB hosts (root hubs) once you run Wireshark. By double-clicking such line at the main page of Wireshark (shown if no file is currently open or captured), or by pressing Start after selecting the line in the "Capture interfaces" window open as Capture -> Options, you start capturing at that root hub.

With tshark (but currently not with standalone dumpcap!), these virtual capture interfaces are accessible too, so you can first run tshark.exe -D to get the numbered list of capturing interfaces, and in the next tshark run, use -i N (where N is a number from the list) command line parameter to choose one of the USBPcapn interfaces to actually capture.

As for the rest (i.e. for other tasks than starting the capture), follow the recommendations at the home page of the USBPcap project, which tell you

  • how to identify the hub to which your USB device is connected if necessary (provided that you know the USB ID of that device)

  • that it is helpful to start capture first and connect the device while the capture is running, because this way you'll capture the enumeration phase so you'll be able to see some endpoint descriptors in the capture, which carry a lot of interesting information about the device.

It is also highly recommended to read the information about USBPcap limitations at its home page, so that you understand what you actually capture and what is impossible to capture without a specialized device.

permanent link

answered 02 Jan '16, 13:52

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 03 Jan '16, 05:30

Hello Sindy, Thank you so much for your help. I really appreciate it. Just a quick question, do I have to save the .pcap file into my computer after capturing the data from USBPcapCmd.exe so that I can open it while running wireshark?

(02 Jan '16, 14:09) Karanza

Seems I was not clear enough about Desowin's original howto validity for different tasks :-(

You can

  • either run USBPcapCMD.exe from the command line, providing a file name to which the capture should be saved, and then open that file with Wireshark, as described in Desowin's tutorial which is relevant for the pre-1.10 versions,

  • or use the method I've described first - in such case, the capture is running live in Wireshark, as if you would capture from an ordinary network adapter, so it is up to you whether you'll then save the result as a file or not.

I was referring to Desowin's original howto for other tasks than the capturing itself - i.e. the determination of the root hub (capture interface) to use, and the order of starting the capture and connecting the device.

(02 Jan '16, 14:17) sindy

Hi Sindy, Can you please explain it more clearly about your first method? There is no extcap folder for me. USBPcap is installed at "C:\Program Files\USBPcap\USBPcapCMD.exe". This command is not working for me:

"C:\Program Files\USBPcap\USBPcapCMD.exe" -d \.\USBPcap1 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i - It gives this output: Selected capture options result in empty capture

(19 Dec '16, 21:38) vikram92

There is no extcap folder for me.

Have you installed USBPcap along with Wireshark or separately? Which Wireshark version do you run? It could also be that gents have temporarily suppressed placement of USBPcapCMD.exe to the extcap folder as it can cause trouble if your list of USB devices is really huge, there is a bug about it. I'm not a core developer so it is just a guess.

USBPcap is installed at "C:\Program Files\USBPcap\USBPcapCMD.exe".

That's correct, there is normally only a copy of USBPcapCMD.exe in the extcap folder, but the whole USBPcap consists of several binaries and these are located in this USBPcap's own folder, including the master copy of USBPcapCMD.exe.

This command is not working for me: "C:\Program Files\USBPcap\USBPcapCMD.exe" -d \.\USBPcap1 -o -

I cannot verify now as I have uninstalled USBPcap temporarily due to some issues I had to get rid of quickly, but "C:\Program Files\USBPcap\USBPcapCMD.exe" -h suggests that you should use \\.USBPcap1 (two backslashes) rather than \.\USBPcap1 (a single backslash) as the value of the -doption. To confirm that it is really the USBPcapCMD.exe who complains, not tshark.exe, first debug the parameters of USBPcapCMD.exe by using a real file rather than - as the value of -o.

(19 Dec '16, 22:23) sindy

I have installed usbpcap from within wireshark installation. I did not install Wincap during installation though. So I uninstalled everything and reinstalled everything. This time I have selected wincap along with usbpcap and now everything is working as it should and I see the extcap folder now. Thanks

(19 Dec '16, 22:59) vikram92
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×20
×3

question asked: 01 Jan '16, 17:18

question was seen: 26,025 times

last updated: 19 Dec '16, 22:59

p​o​w​e​r​e​d by O​S​Q​A