Wireshark-dev: Re: [Wireshark-dev] USB Attached SCSI dissector

From: Tomasz Moń <desowin@xxxxxxxxx>
Date: Mon, 25 Oct 2021 21:03:37 +0200
On Mon, Oct 25, 2021 at 4:57 PM Kennedy, Smith (Wireless & IPP
Standards) via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:
> The "Universal Serial Bus Common Class Specification" (https://usb.org/sites/default/files/usbccs10.pdf) discusses matching "drivers" to devices based on the device's or interface's class, subclass and protocol. I would suggest that, for USB, dissector matching for USB could adopt elements of this methodology to make it easier or more clear how to add support for new subclasses or protocols under a particular class.

Wireshark USB dissector already does that. The major issue with
current Wireshark implementation is that it really works with only one
configuration. Hopefully, very few devices use multiple
configurations.

> I don't know if that maps to needing a "heuristic" dissector. I just wanted to point out that the USB interface descriptor provides values for class / subclass / protocol, so "protocol" in this context doesn't have to mean "look at the traffic and guess what protocol it is" - it can be identified in a more deterministic way than that. But I understand that, since Wireshark is monitoring traffic, not acting as the USB Host, its matching will be "passive" and only apply to dissector selection.

The heuristic should not be the main USB traffic detection method
IMHO. The main thing is that people don't necessarily understand that
capturing full enumeration sequence (aka starting capture before
plugging in the device) will give you much better dissection in
multiple cases. Wireshark currently supports only few USB protocols
now, so this is not common knowledge yet. Recent libpcap versions
automatically request device and configuration descriptors on capture
start (easier version request only device descriptor).