Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Wireshark and USB - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Wireshark and USB

Wireshark can capture USB traffic, provided you fulfil the necessary requirements.

When you start capturing USB traffic and then insert a USB stick, you'll see something like this:

First we see a request (and response) for the device descriptor.

The descriptor contains interesting information, like the Vendor ID (VID or idVendor) and Product ID (PID or idProduct). Maybe you've already come across VIDs and PIDs, like in this instance ID: USB\VID_0951&PID_16AE\902B341D991AB031991F4C4D

In this device descriptor, you can also see the indices for the Manufacturer, Product and SerialNumber string descriptors: 1, 2 and 3.

A bit later in the capture, you'll see a request for a string descriptor (type 3) with index 0: that actually means an inquiry for the languages used for the string descriptors.

The language used for the string descriptors of the USB stick I inserted is US English (0x0409):

With this information, Windows will perform a query to obtain the length of string descriptor 3 in US English:

It is 50 bytes long:

And thus Windows can do a query for a 50 bytes long string descriptor with index 3 in US English:

Which gives us the serial number in response:

I invite you to test out Wireshark's USB capture with different USB devices, and post a comment with your findings.

Didier Stevens
Microsoft MVP Consumer Security


219 Posts
ISC Handler
Really nice, thanks!

6 Posts Posts
debian jessie wireshark version (1.12.1+g01b65bf-4+deb8u13) is too old to capture USB traffic...

11 Posts Posts
Sounds interesting. Many years ago, I repurposed a USB-connected remote control by sniffing the USB traffic (using sniffing software other than Wireshark).
Vincent T

15 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!