Last Updated: 2018-03-17 22:23:44 UTC
by Didier Stevens (Version: 1)
Wireshark can capture USB traffic, provided you fulfil the necessary requirements.
When you start capturing USB traffic and then insert a USB stick, you'll see something like this:
First we see a request (and response) for the device descriptor.
The descriptor contains interesting information, like the Vendor ID (VID or idVendor) and Product ID (PID or idProduct). Maybe you've already come across VIDs and PIDs, like in this instance ID: USB\VID_0951&PID_16AE\902B341D991AB031991F4C4D
In this device descriptor, you can also see the indices for the Manufacturer, Product and SerialNumber string descriptors: 1, 2 and 3.
A bit later in the capture, you'll see a request for a string descriptor (type 3) with index 0: that actually means an inquiry for the languages used for the string descriptors.
The language used for the string descriptors of the USB stick I inserted is US English (0x0409):
With this information, Windows will perform a query to obtain the length of string descriptor 3 in US English:
It is 50 bytes long:
And thus Windows can do a query for a 50 bytes long string descriptor with index 3 in US English:
Which gives us the serial number in response:
I invite you to test out Wireshark's USB capture with different USB devices, and post a comment with your findings.
If you have more information or corrections regarding our diary, please share.