Ask Your Question

Help capturing USB packets in Windows

asked 2021-02-18 13:38:42 +0000

Bryan Hunt gravatar image


We need to confirm the connection and transfer of data from a USB connected device to a windows based application.

First we need to see the device and data flow from the local PC. Then we need to see the device in an RDP session to a host server where the application lives.

We are running USBPcap and wireshark 3.4.3.

My initial testing here is not with the true target device, just a USB Ethernet adapter for now.

My first step in testing was to attach the USB device to the local PC and then run USBPcapCMD. I could see the device here: \??\USB#ROOT_HUB30# [Port 17] ASIX AX88179 USB 3.0 to Gigabit Ethernet Adapter

So the device is seen.

Next I disconnected the device and ran wireshark. I then plugged the device back in and found it with the address 1.11.x.

Question #1, is there any correlation between the 1.11.x address and the port-17 device seen in USBPcap? Can I filter in some way via the port-17 location?

Question #2, if I unplug and then replug the device, it appears that the device address bumps up by one. Right now the USB adapter is 1.14.x. Does this mean that I have to refind the device in WS any time that I unplug/replug?

Question #3, if all looks good on the local USB connection, can I assume that I can run USBPcap and WS on the RDP session and see the passed-thru device there in the same manner?

Thanks for any and all help. These are preliminary questions, I'm sure more to come.


Bryan Hunt

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-04-04 18:27:44 +0000

desowin gravatar image

Answer #1: The port number and device address correlation is negligible from practical application IMHO. That is, usually host software stack enumerates the devices in order determined by port number - this pretty much only means that when you keep rebooting the computer with exactly the same devices connected, then it is likely (but not 100% sure) the devices will get the same addresses.

Answer #2: Pretty much yes. To make it easier you can copy USBPcapCMD.exe to Wireshark/extcap directory and filter the devices to capture from using the GUI (click the icon next to USBPcapX in Wireshark interfaces list at main screen).

Answer #3: RDP shouldn't have any influence on the capture process. As I understand it, the USBPcapCMD will be running on the host server.

Filtering by port sounds like a plausible enhancement request to me. But if, who and when implements that is something I don't know.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2021-02-18 13:38:42 +0000

Seen: 2,108 times

Last updated: Apr 04 '21