Wireshark-dev: [Wireshark-dev] Filtering USB HID fields

From: Tomasz Moń <desowin@xxxxxxxxx>
Date: Wed, 29 Sep 2021 08:22:59 +0200
Hello,

USB HID Usage Tables 1.22 specifies plenty of usages. Usages include
for example, keyboard keys, LEDs, buttons, VR controls, etc. Usages
are grouped into pages. There are plenty of usages, e.g. button page
alone is 65536 items (0x0000 means no button pressed, 0x0001 means
button 1, ..., 0xFFFF means button 65535). Each usage is uniquely
identified by 32-bit value that consists of 16-bit page and 16-bit id.

Some usages don't have numeric value associated with it, but are
selectors. Example selector is keyboard keys, where the report data
specifies indexes from an array that determines what keys are being
pressed. For example keyboard that supports up to 6 simultaneous key
presses, reports 6 indexes (index 0 usually means no key pressed and
other indexes determine pressed key).

Every USB HID device provides descriptior that determines what the
report data bytes means. Current Wireshark development version
annotates all usages from USB HID Usage Tables 1.22 but the usages are
not really filterable.

Possible solution is to register hf for each usage. This can be
achieved by either dynamically allocate required hfs after dissecting
report descriptor or preallocating all hfs (either dynamically at
runtime, or automatically generate the code). The hf name can be
consutructed algorithmically based on the usage page and name.

As the number of usages is quite high, I am concerned if getting one
hf field for each is the way to go. A completely different approach
would be to have generic hf and make the filter value somehow encode
usage page, id and value (if any).

I am not sure which of the above proposed options is worth pursuing.

Best regards,
Tomasz Moń