TechNinjutsu‎ > ‎

Introduction to Usb sniffers and Serial Analysis

posted Dec 9, 2010, 7:08 PM by d graham   [ updated Dec 10, 2010, 1:29 AM ]

As discussed earlier, much of modern computing(if not all) is abstraction. At the core of computing science, we abstract away the 1's and 0's. Sometimes those 1's and 0's are really helpful however. Lets say you have a USB device which operates under Windows, but which you would like to run under Linux.

A big, well funded, common USB device manufacturer may have Linux drivers available. Many USB based devices which have a larger community surrounding them may already have drivers too. When you really need something to work though, and neither of these resources exist, you may be left with the difficult but rewarding decision to create your own interface or drivers. There are many good resources on the internet for creating custom drivers, and that is a bit above the level of this tutorial, for anyone interested I recommend checking at, msdn, or just searching the net based on your programming language of choice.

In order to log the transactions going across the USB wire we will need to install what is known as a USB Sniffer, or USB protocol analyzer. The USB sniffer will need to be installed on a system which is currently able to connect to the device in question. Higher end USB protocol analyzers will actually be a hardware break out device all on their own, which is running a software stack capable of silently logging and forwarding packets to the computer in question. We will focus on the software protocol analyzers, as the hardware type are typically cost prohibitive(and if you can afford one you should know how to use it already).

There any many software usb protocol analyzers but there are two I recommend: USBlyzer and Snoopy Pro

USBlyzer has a 30 day trial which is available at:

Snoopy Pro is free software and can be downloaded at:

Once you have the USB analyzer software installed the process is pretty straight forward: after all its 1's and 0's, right?

Select your usb device in the analyzer software of your choice. You may have to select a sub-device if your USB device shows up as multiple connections, based on the drivers which support multiple modes of communication: for example, many cellphones show up with a Modem device, and a Qualcomm Diagnostic device

Once you have selected the device you will need to begin the packet capture, and then, in a deliberate manner, begin controlling the device with the software you wish to emulate later on.

You will notice lots of activity across the wire once you end the capture, and often many of these messages are insignificant for what you would like to do. For a USB-serial device, try to look for “Bulk Transfer” operations, which are mostly just a series of simply encoded bytes. Be sure you understand which commands are being send out to the USB devices and which commands are being received as a response, as the logging software will capture both. Now that you have the bytes which make up a command, try to open hyper-terminal and see if you are able to send them in the same manner as the original control system: if your commands are received successfully you are halfway to creating your own command and control software!