This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tracking only one USB Port in Filter using USBPcap

0

I want to capture only one USB Port but I get the traffic from all other ports in the filter which confuses my project. Any solution for this?

asked 12 Oct '17, 03:14

saisudheer8's gravatar image

saisudheer8
6223
accept rate: 0%


One Answer:

0

It depends on what you call "port". The tree topology of the USB allows to connect several hubs in a chain, and there is no static mapping of physical ports of the hubs to USB addresses of connected devices.

The only thing resembling a capture filter to be available in USBPcap is the choice of root hub on which to capture. When running USBPcapCmd from command line, it is mandatory to choose a root hub. When running USBPcap from Wireshark or tshark, each root hub is offered as a separate extcap interface. Full stop.

(To make things even more confusing, a USB device connected to the very same physical port is seen as connected to one root hub if it is a USB 1.1/2.0 device but as connected to another root hub if it is a USB 3.0 device).

The mapping between physical USB ports of the computer and/or of external hubs and the USB address (bus.device.endpoint) is dynamically created during the enumeration phase. So if you have two USB keyboards and insert them in different order after restart of the computer, their USB addresses differ between cases.

So your best bet is to run USBPcapCmd.exe before inserting the devices you want to capture, and to analyse the enumeration phase to identify the bus and device IDs you'll use in your display filter expression to show only frames to/from the devices you are interested in. If necessary, you can save only frames matching the display filter into another .pcap file.

If you need your "project" to handle .pcap files fully automatically, without any manual pre-processing, you'll have to include analysis of the enumeration phase or some heuristic into it.

answered 12 Oct '17, 06:28

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

To elaborate more on what I meant by "port", I have 3 root hubs and under my root hub 3, there are 6 ports which are specified in USBPcapCmd.exe as [Port 1], [Port 2], ... [Port 6]. I am interested only in [Port 4].

I can filter out the captured packets in Wireshark. However, I have limited knowledge on how to apply display filter expression in USBPcapCmd.exe. It would be very helpful if you can share a manual or example.

(12 Oct '17, 06:52) saisudheer8

Seems I wasn't clear enough to ground your optimism. There seems to be no (0) way to apply a display filter directly in USBPcapCmd.exe. You have to capture everything what runs through the chosen root hub into a .pcap file, and apply the display filter in Wireshark/tshark when processing that .pcap file further.

Maybe Desowin has implemented some finer capture filter but he hasn't documented it. I was unable to find anything at all in his code when dealing with another issue, you may be more successful here.

Also, you cannot display-filter up to physical port number because USBPcap does not store the information about physical port(s) of the hub(s) as metadata into the .pcap file as there is no space reserved for that purpose. This could be theoretically possible if USBPcap would use .pcapng format and translate such data into a text string such as "USB physical address 1.2.1.3.4" and store the string as interface name but it currently doesn't.

(12 Oct '17, 07:35) sindy

Got you! Thanks for the detailed explanation @sindy. I will filter out the necessary info in Wireshark. You guys are the best!

(12 Oct '17, 07:56) saisudheer8

@saisudheer8

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(12 Oct '17, 09:12) grahamb ♦