"SniffUsb 2.0" USB Sniffer for Windows

Overview

SniffUSB 2.0 is a minor update to the predecessor SniffUSB 1.8 by Benoit Papillault.

The purpose of this release is actually to update Benoit's prior work to allow it to be built under newer development tools. In particular:

bulletThe SniffUSB application is built under Microsoft Visual Studio 2005.
bulletThe UsbSnoop driver is built under the Windows Vista Driver Kit (WDK 6000)

Benoit deserves quite a bit of credit because his V1.8 application and driver ported to these newer tools with very little effort.

Thanks, Benoit!

This release does not fix any bugs from Benoit's V1.8 release and does not offer any new functionality.

After making the initial port of the UsbSnoop driver to WDK 6000 (which went smoothly...) I did make additional modifications to the driver code. Most of these were to make the code more readable - at least to me.

The V2.0 UsbSnoop driver changes included:

bulletFixed a small number of PreFast warnings.
bulletReplaced deprecated functions with newer preferred functions.
bulletNow use lookaside lists for repetitive fixed-size allocations.
bulletRemoved dead code.
bulletSimplified some code paths.
bulletReorganized code and renamed variables and functions to suit my tastes.
bulletReplaced driver core dispatch template with that of the WDK 6000 filter.cpp sample driver.

In addition I removed some functionality:

bulletSniffUSB 2.0 does NOT support Windows 98/ME
bulletSniffUSB 2.0 does NOT support Windows 2000

I did very little work on the SniffUSB MFC application. Changes that I did make include:

bulletReplaced some deprecated functions with newer preferred functions.
bulletFixed some complier warnings.
bulletRevised the folder organization for compiler and linker output.
bulletAdded x64 configurations.
bulletFixed "Present" indication. (V2.0.0004)
bulletImproved display refresh control. (V2.0.0004)
bulletControl whether devices that are not present are listed. (V2.0.0004)
bulletAdded "Uninstall All" button.  (V2.0.0005)
bulletAdded mechanism to pause/resume logging. (V2.0.0006)
bulletAdded mechanism to allow the log file to be closed and deleted reliably. (V2.0.0006)

SniffUSB 2.0 now supports only Windows XP and higher.

Benoit's original SniffUSB V1.8 source and executables can be found at the URL:

    http://benoit.papillault.free.fr/usbsnoop/

 

Application Overview

The SniffUSB main dialog is illustrated below:

 

Device List

The top of the display lists USB devices that are present on the host system.

Log File Controls

These controls are provided:

bullet

Resume Log - Start or resume logging.

bullet

Pause Log - Pause logging.

bullet

Close Log - Command the driver to close the log file. Available only if logging is paused.

bullet

Delete Log - Delete the log file. Available only if driver has closed the log file.

Display Refresh Controls

These are used to specify when the Device List should be refreshed. Pressing the Refresh button will refresh the display at any time. You can have the display automatically refresh by checking the Auto-Refresh Enable checkbox and then specifying the refresh interval in the companion drop list.

Device List Controls

By default the Device List shows only USB devices that are present on the system. You can also view devices that are not currently present by checking the List Devices Not Present checkbox.

Filter Controls

In order to log USB operations you must install the UsbSnoop filter below the devices that you wish to monitor.

Installing a UsbSnoop Filter

To install the UsbSnoop filter follow these steps:

  1. Select the USB device of interest in the Device List.

  2. Press the Install button in the Filter Control group. This calls SetupDi functions that are needed to install the UsbSnoop filter below the selected device. "Installed" should then appear in the "Filter Installed?" column of the Device List.

Here the term "installed" may be a little misleading. At this point the system has been configured so that the next time the selected device is started the UsbSnoop filter will be installed - but the filter isn't actually started.

The filter will actually be started the next time the selected device is started. If you restart your system, then the filter will be started when the system restarts. If the device is removable, then if you remove and re-plug the device the filter will be started as part of the re-plug process.

Alternatively you can press the Replug button in the Filter Control group. This restarts the selected device programmatically and as the selected device is restarted the UsbSnoop filter will actually be loaded below the selected device.

Uninstalling a UsbSnoop Filter

To uninstall a UsbSnoop filter follow these steps:

  1. Select the USB device of interest in the Device List.

  2. Press the Uninstall button in the Filter Control group. This calls SetupDi functions that are needed to uninstall the UsbSnoop filter from below the selected device. "Installed" should then disappear in the "Filter Installed?" column of the Device List.

Here the term "uninstalled" may be a little misleading. At this point the system has been configured so that the next time the selected device is started the UsbSnoop filter will be not be installed - but the UsbSnoop filter is actually still running and logging data.

You can press the Replug button in the Filter Control group. This restarts the selected device programmatically and as the selected device is restarted the UsbSnoop filter will not be loaded below the selected device.

Uninstalling All Filters

Press the Uninstall All button in the Filter Control group. This does the "uninstall" and the "re-plug" operations needed to remove all UsbSnoop filter instances.

 

Viewing the Log File

The default viewer simply opens the log file using Notepad. For more readable results, open the log file using WordPad.

Use WordPad to view the Log file.

 

License and Warranty

This program is provided as a service to the Windows system software development community via Printing Communications Assoc., Inc. (PCAUSA) and Benoit Papillault.

The right to use this code in your own derivative works is granted so long as your own derivative works include significant modifications of your own. This product includes software developed by PCAUSA and Benoit Papillault. The names of PCAUSA and Benoit Papillault may not be used to endorse or promote products derived from this software without specific prior written permission.

Printing Communications Assoc., Inc. (PCAUSA) and Benoit Papillault expressly disclaim any warranty.

THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MECHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK ARISING FROM THE USE OF THIS SOFTWARE REMAINS WITH YOU.

PCAUSA's entire liability and your exclusive remedy shall not exceed the price paid for this material. In no event shall PCAUSA or its suppliers be liable for any damages whatsoever (including, without limitation, damages for loss of business profit, business interruption, loss of business information, or any other pecuniary loss) arising out of the use or inability to use this software, even if PCAUSA has been advised of the possibility of such damages. Because some states/jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
 

Feedback

This is brand-new code that I have not been able to test thoroughly. So, I welcome your feedback in the following areas:

bulletCrashes - I will look at them when I have spare time.
bulletMissing functionality - If there is anything that I have left out from Benoit's original work, let me know.
bulletNew Functionality - Let me know. Perhaps I will have some time.

My email address is at the bottom of this page.

 

Download SniffUSB 2.0 Executables

Please understand that SniffUSB is an experimental tool. Although not known to have flaws, it is not as heavily tested as other PCAUSA products.

You will need to install the .NET 2.0 framework to provide the necessary MFC and CRT support for SniffUSB. If there is sufficient interest I will make a MSI installer that installs the support for you.

SniffUSB 2.0.0006 x86 Edition
138.81KB (142141 bytes)

SniffUSB 2.0.0006 x64 Edition
179.92KB (184236 bytes)

 

Download SniffUSB 2.0 Source Code

You can download the SniffUSB source code from the following link:

SniffUSB 2.0.0006 Source Code
194.75KB (199425 bytes)

 

SniffUSB 2.0 Release Notes

You can view the SniffUSB 2.0 Release Notes from the following link:

SniffUSB 2.0Release Notes
 

 

Please let me know your experiences with this experimental software. Your feedback is needed if improvements are to be made to this tool.

Thomas F. Divine

tdivine@NOpcausaSPAM.com
(Remove "NO" and "SPAM" to get usable email address...)

 

Topic Status
February 23, 2007 Improvements to logging control and log file deletion.

See the Release Notes.
January 14, 2007 Improvements to MFC application.
 
bulletFixed bug in "Present" indication.
bulletImproved display refresh mechanism. Is not more usable.
bulletCan now control whether devices that are not present are listed.
January 1, 2007 Minor update V2.0.0002. See the SniffUSB 2.0.
December 27, 2006 Initial release. SniffUSB V2.0.0001.

 

 

Hit Counter
1/1/07 

 

PCAUSA Home · Privacy Statement · Products · Ordering · Support · Utilities · Resources
Mailing Lists  · PCAUSA Newsletter · PCAUSA Discussion List
 
Rawether for Windows and WinDis 32 are trademarks of Printing Communications Assoc., Inc. (PCAUSA)
Microsoft, MS, Windows, Windows 95, Windows 98, Windows Millennium, Windows 2000, and Win32 are registered trademarks and Visual C++ and Windows NT are trademarks of the Microsoft Corporation.
Send mail to webmaster@pcausa.com with questions or comments about this web site.
Copyright © 1996-2008 Printing Communications Assoc., Inc. (PCAUSA)
Last modified: December 31, 2007