Wireshark-dev: Re: [Wireshark-dev] possibility of USB capture on windows
From: Guy Harris <[email protected]>
Date: Wed, 27 Feb 2008 19:33:27 -0800
On Feb 27, 2008, at 6:43 PM, DePriest, Jason R. wrote:

Yes, Wireshark can probably capture it:
http://www.wireshark.org/docs/dfref/u/usb.html and
"There exist display filter elements for protocol XXX" does not imply  
that Wireshark has any ability to capture protocol XXX on any  
particular platform.  It might be able to read capture files from some  
*other* source containing the protocol in question, or it might be  
able to capture it, but not on *your* platform...
http://wiki.wireshark.org/USB
...and, in fact, that page specifically says "at least for the linux  
platform", and doesn't mention Windows, which is the platform about  
which the person who sent the original message asked.
USB can have poor timestamps:
http://www.wireshark.org/docs/wsug_html_chunked/ChAdvTimestamps.html
That page says

USB connected network adapters often provide a very bad time stamp accuracy. The incoming packets have to take "a long and winding road" to travel through the USB cable until they actually reach the kernel. As the incoming packets are time stamped when they are processed by the kernel, this time stamping mechanism becomes very inaccurate.
It's not referring there to capturing raw USB messages; instead, it's  
referring to capturing network traffic on USB network adapters, as  
opposed to capturing on network adapters connected to the main  
peripheral bus (e.g., PCI) or to a bus more directly attached to that  
bus (e.g., PC Card or CardBus).  That's the "just ethernet over usb"  
in "Capturing all usb needs to be stressed, not just ethernet over usb."
Not so good for Windows, better for Linux:
http://wiki.wireshark.org/CaptureSetup/USB
...where "not so good" translates as "not at all", when using Wireshark:

	You cannot capture raw USB traffic on Windows with Wireshark/WinPcap.

It then refers you to the Tools page, but that only refers you to some separate tools that can be used to capture USB traffic. Those might work better than SniffUSB - or might not.