On Mon, Oct 25, 2021 at 9:08 PM Guy Harris <gharris@xxxxxxxxx> wrote:
> On Oct 25, 2021, at 12:03 PM, Tomasz Moń <desowin@xxxxxxxxx> wrote:
> > The heuristic should not be the main USB traffic detection method
> > IMHO. The main thing is that people don't necessarily understand that
> > capturing full enumeration sequence (aka starting capture before
> > plugging in the device) will give you much better dissection in
> > multiple cases.
>
> The main thing is that there's no guarantee that you get the full enumeration.
Software only USB capture engines provide enough information for
Wireshark dissection if you plug in the device after starting the
capture. That is, it is good enough when the user is not struggling
with board bringup issues while developing USB device firmware. The
requests not captured by software only sniffer are not really big deal
IMHO after the bringup is complete.
> > Recent libpcap versions
> > automatically request device and configuration descriptors on capture
> > start (easier version request only device descriptor).
>
> Is this done on FreeBSD, macOS, and Windows?
>
> Or is this Linux-only?
Linux only. On Windows, USBPcap has the option to inject already
connected devices descriptors on capture start (technically it is
different to what libpcap on Linux does, as it does not actively
request the descriptors from device, but rather uses the cached
values).
I don't know about macOS nor FreeBSD.