Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Wireshark and USB

Published: 2018-03-17
Last Updated: 2018-03-17 22:23:44 UTC
by Didier Stevens (Version: 1)
1 comment(s)

Wireshark can capture USB traffic, provided you fulfil the necessary requirements.

When you start capturing USB traffic and then insert a USB stick, you'll see something like this:

First we see a request (and response) for the device descriptor.

The descriptor contains interesting information, like the Vendor ID (VID or idVendor) and Product ID (PID or idProduct). Maybe you've already come across VIDs and PIDs, like in this instance ID: USB\VID_0951&PID_16AE\902B341D991AB031991F4C4D

In this device descriptor, you can also see the indices for the Manufacturer, Product and SerialNumber string descriptors: 1, 2 and 3.

A bit later in the capture, you'll see a request for a string descriptor (type 3) with index 0: that actually means an inquiry for the languages used for the string descriptors.

The language used for the string descriptors of the USB stick I inserted is US English (0x0409):

With this information, Windows will perform a query to obtain the length of string descriptor 3 in US English:

It is 50 bytes long:

And thus Windows can do a query for a 50 bytes long string descriptor with index 3 in US English:

Which gives us the serial number in response:

I invite you to test out Wireshark's USB capture with different USB devices, and post a comment with your findings.

Didier Stevens
Microsoft MVP Consumer Security

Keywords: usb wireshark
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

[Wireshark-announce] Wireshark 2.5.1 is now available
Mar 16th 2018
3 days ago by Basil (0 comments)

VMWARE Security Advisory: VMSA-2018-0008
Mar 16th 2018
3 days ago by Basil (0 comments)

SPECTRE and Meltdown To patch or not to patch?..and HOW (Guest Diary)
Mar 15th 2018
4 days ago by Johannes (3 comments)

Malspam pushing Sigma ransomware
Mar 14th 2018
5 days ago by Brad (0 comments)

Microsoft March 2018 Patch Tuesday
Mar 13th 2018
6 days ago by Johannes (8 comments)

How did it all start? Early Memcached DDoS Attack Precursors and Ransom Notes
Mar 13th 2018
6 days ago by Johannes (0 comments)

Payload delivery via SMB
Mar 12th 2018
1 week ago by Xme (1 comment)

View All Diaries →

Latest Discussions

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
4 days ago by Anonymous (1 reply)

Possible new worm activity
created Mar 13th 2018
5 days ago by Anonymous (0 replies)

Detecting the memcached issue
created Mar 9th 2018
1 week ago by David (0 replies)

OSINT tools and links
created Mar 9th 2018
1 week ago by Anonymous (0 replies)

IPhone VPN connection error.
created Mar 7th 2018
1 week ago by Janecollen (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
8 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
7 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
3 months ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
6 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
7 months ago by Xme (2 comments)