Ask Your Question
0

How to read USB captures

asked 2020-09-09 05:05:13 +0000

valinwolf gravatar image

I'm sure there is a tutorial or something out there to teach me, but for the life of me - I cannot find anything that I can understand. I'm trying to figure out how to read, interpret, and replicate communication with a "USB HID" device. For reference purposes, y'all are welcome to view my capture file, but I'm not asking for a gimme - I want to learn how to understand and interpret this on my own. Keep the lingo fairly simple please, however, because I have 0 experience in packets - network or USB. I'm really good with technology, but this is just escaping me.

Just for a reference on my skill level: I run Arch Linux on my laptop, I know several languages including C#, Python, and the standard web trio (the PHP one). I have 3 RPis, each one in a different project - soldered in. However, C++, Pascal, and ASM are mystery alien languages and if you ask me why the PNP/NPN transistor does what it does in the circuit I couldn't even begin to answer you - only that without it the circuit wouldn't work. I can tell you what to use UDP for vs TCP, but don't ask me why or how they work. I'll let y'all figure out where that puts me in this context.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-04-04 18:49:58 +0000

desowin gravatar image

USB HID dissector was improved during Google Summer of Code 2020, so in recent Wireshark versions you get better results than in older ones. However, after opening the capture in Wireshark 3.4.4, the dissection in "GET DESCRIPTOR Response HID Report" is as follows:

HID Report
    Usage Page (Vendor)
        Header
            .... ..10 = bSize: 2 bytes (2)
            .... 01.. = bType: Global (1)
            0000 .... = bTag: Usage Page (0x0)
        Usage Page: Vendor (0xff00)
    Usage (Vendor)
        Header
            .... ..01 = bSize: 1 byte (1)
            .... 10.. = bType: Local (2)
            0000 .... = bTag: Usage (0x0)
        Usage: Vendor (0x01)
    Collection (Application)
        Header
            .... ..01 = bSize: 1 byte (1)
            .... 00.. = bType: Main (0)
            1010 .... = bTag: Collection (0xa)
        Collection type: Application (0x01)
        Logical Minimum (0)
            Header
                .... ..01 = bSize: 1 byte (1)
                .... 01.. = bType: Global (1)
                0001 .... = bTag: Logical Minimum (0x1)
            Logical minimum: 0
        Logical Maximum (255)
            Header
                .... ..10 = bSize: 2 bytes (2)
                .... 01.. = bType: Global (1)
                0010 .... = bTag: Logical Maximum (0x2)
            Logical maximum: 255
        Report Size (8)
            Header
                .... ..01 = bSize: 1 byte (1)
                .... 01.. = bType: Global (1)
                0111 .... = bTag: Report Size (0x7)
            Report size: 8
        Report Count (8)
            Header
                .... ..01 = bSize: 1 byte (1)
                .... 01.. = bType: Global (1)
                1001 .... = bTag: Report Count (0x9)
            Report count: 8
        Usage (Vendor)
            Header
                .... ..01 = bSize: 1 byte (1)
                .... 10.. = bType: Local (2)
                0000 .... = bTag: Usage (0x0)
            Usage: Vendor (0x00)
        Feature (Data,Var,Abs)
            Header
                .... ..10 = bSize: 2 bytes (2)
                .... 00.. = bType: Main (0)
                1011 .... = bTag: Feature (0xb)
            .... .... 0 = Data/constant: Data
            .... ...1 . = Data type: Variable
            .... ..0. . = Coordinates: Absolute
            .... .0.. . = Min/max wraparound: No Wrap
            .... 0... . = Physical relationship to data: Linear
            ...0 .... . = Preferred state: Preferred State
            ..0. .... . = Has null position: No Null position
            .0.. .... . = (Non)-volatile: Non Volatile
            1... .... . = Bits or bytes: Buffered Bytes
        End Collection
            Header
                .... ..00 = bSize: 0 bytes (0)
                .... 00.. = bType: Main (0)
                1100 .... = bTag: End Collection (0xc)

From this you can basically tell that your device just uses HID to transfer Vendor data. This is the old method to get "USB device working without drivers". Unfortunately there is not much more that can be determined from the packets without reverse engineering the vendor protocol.

You might want to check out USB Analysis 101 to get basic idea how USB works and how that differs from networking.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-09-09 05:05:13 +0000

Seen: 5,430 times

Last updated: Apr 04 '21