I want to capture only one USB Port but I get the traffic from all other ports in the filter which confuses my project. Any solution for this?
asked 12 Oct '17, 03:14
It depends on what you call "port". The tree topology of the USB allows to connect several hubs in a chain, and there is no static mapping of physical ports of the hubs to USB addresses of connected devices.
The only thing resembling a capture filter to be available in USBPcap is the choice of root hub on which to capture. When running USBPcapCmd from command line, it is mandatory to choose a root hub. When running USBPcap from Wireshark or tshark, each root hub is offered as a separate extcap interface. Full stop.
(To make things even more confusing, a USB device connected to the very same physical port is seen as connected to one root hub if it is a USB 1.1/2.0 device but as connected to another root hub if it is a USB 3.0 device).
The mapping between physical USB ports of the computer and/or of external hubs and the USB address (bus.device.endpoint) is dynamically created during the enumeration phase. So if you have two USB keyboards and insert them in different order after restart of the computer, their USB addresses differ between cases.
So your best bet is to run USBPcapCmd.exe before inserting the devices you want to capture, and to analyse the enumeration phase to identify the bus and device IDs you'll use in your display filter expression to show only frames to/from the devices you are interested in. If necessary, you can save only frames matching the display filter into another .pcap file.
If you need your "project" to handle .pcap files fully automatically, without any manual pre-processing, you'll have to include analysis of the enumeration phase or some heuristic into it.
answered 12 Oct '17, 06:28