Monitoring USB Traffic and Analyzing USB Devices Activity
Part 1 - Explore USB Device Tree, view USB Device Properties
Capturing Hot-Plugged Devices
USBlyzer is a featured USB traffic monitoring software that allows you to not only monitor the activity of the devices already present, but also monitor the devices activity at the time of connection. If you have no idea which USB device activity you want to monitor and analyze you probably might want to enable automatic capturing for hot-plugged devices option. To do this, select Capture->Capture Hot-plugged menu item. When this option is on, the capture will be enabled automatically for any USB devices that you plug into the computer while USBlyzer is in capture mode.
Once you have chosen which USB device traffic you wish to monitor or enabled capture hot-plugged devices option, you are almost ready to monitor USB traffic. Before you start, just a couple of words about some global setting that you probably might want to customize.
Before you start capture, you can customize the global Capture Settings. To do this, select Capture->Capture Settings... menu item. The following window will appear:
The tree-view displays all URBs, IRPs, user-mode and kernel-mode I/O control requests USB analyzer is able to capture. You can capture everything and then filter those types of requests that you want to see or you can select the particular request types, which you want to capture and thus limit the size of the captured data.
You can alter any option of the capture settings at any time, even while the capture is active. You can also save the current configuration of the capture settings for later use by clicking Save As... button.
Just leave everything as is and close the dialog.
Capture File Size
Now select Options->Preferences menu item. This will bring up a dialog where you can set USBlyzer preferences. Select the Capture tab on the left. The following window will appear:
Here you can set the size of the temporary capture file that USBlyzer will use to save the captured data. This setting controls the maximum size to which the capture file can grow. The actual size of capture file will depend on the number of captured data. Leave everything as is and close the dialog.
OK. Now the only thing remaining is starting the data capture.
Once you have selected which USB device or devices to monitor and configured the capture settings, just click the Start Capture button on the toolbar and USB analyzer software starts monitoring USB traffic going through the selected devices.
Now perform some activity with the USB device you are monitoring. If you have chosen monitor hot-plugged devices plug any USB device into the computer now. You will see that Capture List fills with the captured data.
Capturing continues until the capture buffer is full, or Stop Capture button is pressed. The progress indicator on the status bar shows you how much of your capture file is filled with capture data.
Analyzing USB Device Activity
Now it's time to analyze the USB device activity. Clicking on an item in the Capture List will display a complete analysis of the request in the analysis panels.
The Request Summary panel displays the brief information about the captured request, including the descriptive name of the IRP or URB, the target device object, the status of operation for completed requests and some other request-specific information.
USBlyzer is able to capture IRP, IO_STACK_LOCATION and URB data structures associated with each request as it goes down and back up the stack. You can see the details in the IRP Details and URB Details panels.
The IRP Details panel shows the captured IRP data structure in detail. You can see the entire contents of the static part of the IRP along with the current I/O stack location, if any.
The URB Details panel shows the captured URB data structure in detail. You can see the entire contents of the URB.
USBlyzer also captures data buffer, if any, associated with the request whenever it is transferred to or from a device. USB traffic analyzer captures the transfer buffer for control, bulk, interrupt and isochronous transfers and for some user-mode and kernel-mode I/O control requests.
The Raw Data panel shows the raw hex data of the transfer buffer content.
The Data Analysis panel shows the complete and detailed analysis for many request types.
The filter capability allows you to control what gets displayed to you after the data has been captured. The Filter dialog available from the Edit->Filter Settings... menu allows you to specify the filter criteria.
Once you have specified the filter criteria, use the Edit->Apply Filter menu item or corresponding toolbar button to apply the filter. The capture buffer is not altered and all captured data still remain in memory. Filtering just hides undesired information from the analyzer view.
The search capability allows searching through thousands of captured requests to find the particular one that match the search criteria. The Find Dialog available from Navigate->Find... menu.
Once you have specified the search criteria, use the Prev and Next buttons to search back and forth. After you close Find Dialog, you can press F3 to search forward or Ctrl+F3 to search backward from the current location in the Capture List.
Now you can save the captured USB devices traffic data in the capture file for later analysis.
Part 3 - How a Software-based USB Protocol Analyzer Works