Hello folks,
I am pleased to announce the USBPcap [1]. The project is not end-user
ready, but I think it's right time to ask you for comments.
USBPcap consists of two parts:
* filter driver (USBPcap.sys)
* user-mode application (USBPcapCMD.exe)
Filter driver attaches to every root hub in system and creates
\Device\USBPcapX control device object. Capture data is internally
stored in pcap format and can be retrieved using USBPcapCMD.exe.
The pcap format for USBPcap is not yet registered. Please provide
feedback before I will request the DLT from tcpdump. To get the idea
of the format, take a look inside USBPcapDriver/USBPcapBuffer.h file.
I have submitted proof-of-concept patch alongside with a sample
capture file to the bugzilla [2]. This patch hijacks the
WTAP_ENCAP_USER0 from the packet-user_encap.c.
Source code is available at github [3]. Pull requests are welcome. :-)
Regards,
Tomasz
[1] http://desowin.org/usbpcap
[2] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8503
[3] http://github.com/desowin/usbpcap