Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] possibility of USB capture on windows

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 27 Feb 2008 19:33:27 -0800

On Feb 27, 2008, at 6:43 PM, DePriest, Jason R. wrote:

Yes, Wireshark can probably capture it:
http://www.wireshark.org/docs/dfref/u/usb.html and

"There exist display filter elements for protocol XXX" does not imply that Wireshark has any ability to capture protocol XXX on any particular platform. It might be able to read capture files from some *other* source containing the protocol in question, or it might be able to capture it, but not on *your* platform...

http://wiki.wireshark.org/USB

...and, in fact, that page specifically says "at least for the linux platform", and doesn't mention Windows, which is the platform about which the person who sent the original message asked.

USB can have poor timestamps:
http://www.wireshark.org/docs/wsug_html_chunked/ChAdvTimestamps.html

That page says

USB connected network adapters often provide a very bad time stamp accuracy. The incoming packets have to take "a long and winding road" to travel through the USB cable until they actually reach the kernel. As the incoming packets are time stamped when they are processed by the kernel, this time stamping mechanism becomes very inaccurate.

It's not referring there to capturing raw USB messages; instead, it's referring to capturing network traffic on USB network adapters, as opposed to capturing on network adapters connected to the main peripheral bus (e.g., PCI) or to a bus more directly attached to that bus (e.g., PC Card or CardBus). That's the "just ethernet over usb" in "Capturing all usb needs to be stressed, not just ethernet over usb."

Not so good for Windows, better for Linux:
http://wiki.wireshark.org/CaptureSetup/USB

...where "not so good" translates as "not at all", when using Wireshark:

	You cannot capture raw USB traffic on Windows with Wireshark/WinPcap.

It then refers you to the Tools page, but that only refers you to some separate tools that can be used to capture USB traffic. Those might work better than SniffUSB - or might not.