USBPcap是一个开源的USB数据包抓取工具。本文旨在说明USBPcap抓取的USB数据包的数据格式。
基本数据类型
USBPcap程序中使用到了一些基本的数据类型,如下:
UCHAR - 8 bit unsigned value
USHORT - 16 bit unsigned value
UINT32 - 32 bit unsigned value
UINT64 - 64 bit unsigned value
ULONG - 64 bit unsigned value
USBD_STATUS - 32 bit unsigned value
需要注意的是,USB传输的数据都是小端序的,对于多字节数据,需要从右往左读取。
基础数据包头
USB数据包的传输类型有:控制传输、中断传输、同步传输、批量传输。
对于不同的传输类型,USBPcap有不同的数据包头与之对应;但这些数据包头中包含共同的基本数据包头。下面是基础数据包头的定义:
#pragma pack(1) typedef struct { USHORT headerLen; /* This header length */ UINT64 irpId; /* I/O Request packet ID */ USBD_STATUS status; /* USB status code (on return from host controller) */ USHORT function; /* URB Function */ UCHAR info; /* I/O Request info */ USHORT bus; /* bus (RootHub) number */ USHORT device; /* device address */ UCHAR endpoint; /* endpoint number and transfer direction */ UCHAR transfer; /* transfer type */ UINT32 dataLength;/* Data length */ } USBPCAP_BUFFER_PACKET_HEADER, *PUSBPCAP_BUFFER_PACKET_HEADER;
传输类型数据包头(transfer-specific header)
所有的传输类型数据包头都继承了基础数据包头,并处于传输类型数据包头的起始位置;接下来是传输类型特有的存储在数据包头里的数据(如果有的话);最后是传输的数据。
传输类型定义如下:
#define USBPCAP_TRANSFER_ISOCHRONOUS 0 /* 同步传输 */ #define USBPCAP_TRANSFER_INTERRUPT 1 /* 中断传输 */ #define USBPCAP_TRANSFER_CONTROL 2 /* 控制传输 */ #define USBPCAP_TRANSFER_BULK 3 /* 批量传输 */
下面来看下这些不同传输类型的USBPcap数据包头的定义。
同步传输数据包头(USBPCAP_TRANSFER_ISOCHRONOUS)
对应于同步传输的数据包头的数据类型为USBPCAP_BUFFER_ISOCH_HEADER,定义如下:
/* Note about isochronous packets: * packet[x].length, packet[x].status and errorCount are only relevant * when USBPCAP_INFO_PDO_TO_FDO is set * * packet[x].length is not used for isochronous OUT transfers. * * Buffer data is attached to: * * for isochronous OUT transactions (write to device) * Requests (USBPCAP_INFO_PDO_TO_FDO is not set) * * for isochronous IN transactions (read from device) * Responses (USBPCAP_INFO_PDO_TO_FDO is set) */ #pragma pack(1) typedef struct { ULONG offset; ULONG length; USBD_STATUS status; } USBPCAP_BUFFER_ISO_PACKET, *PUSBPCAP_BUFFER_ISO_PACKET; #pragma pack(1) typedef struct { USBPCAP_BUFFER_PACKET_HEADER header; ULONG startFrame; ULONG numberOfPackets; ULONG errorCount; USBPCAP_BUFFER_ISO_PACKET packet[1]; } USBPCAP_BUFFER_ISOCH_HEADER, *PUSBPCAP_BUFFER_ISOCH_HEADER;
中断传输数据包头(USBPCAP_TRANSFER_INTERRUPT)
对应于中断传输的数据包头的数据类型恰恰为USBPCAP_BUFFER_PACKET_HEADER,没有额外字段。
控制传输数据包头(USBPCAP_TRANSFER_CONTROL)
对应于控制传输的数据包头的数据类型为USBPCAP_BUFFER_CONTROL_HEADER,定义如下:
/* USBPcap versions before 1.5.0.0 recorded control transactions as two * or three pcap packets: * * USBPCAP_CONTROL_STAGE_SETUP with 8 bytes USB SETUP data * * Optional USBPCAP_CONTROL_STAGE_DATA with either DATA OUT or IN * * USBPCAP_CONTROL_STAGE_STATUS without data on IRP completion * * Such capture was considered unnecessary complex. Due to that, since * USBPcap 1.5.0.0, the control transactions are recorded as two packets: * * USBPCAP_CONTROL_STAGE_SETUP with 8 bytes USB SETUP data and * optional DATA OUT * * USBPCAP_CONTROL_STAGE_COMPLETE without payload or with the DATA IN * * The merit behind this change was that Wireshark dissector, since the * very first time when Wireshark understood USBPcap format, was really * expecting the USBPCAP_CONTROL_STAGE_SETUP to contain SETUP + DATA OUT. * Even if Wireshark version doesn't recognize USBPCAP_CONTROL_STAGE_COMPLETE * it will still process the payload correctly. */ #define USBPCAP_CONTROL_STAGE_SETUP 0 #define USBPCAP_CONTROL_STAGE_DATA 1 #define USBPCAP_CONTROL_STAGE_STATUS 2 #define USBPCAP_CONTROL_STAGE_COMPLETE 3 #pragma pack(1) typedef struct { USBPCAP_BUFFER_PACKET_HEADER header; UCHAR stage; /* Determines the control transfer stage */ } USBPCAP_BUFFER_CONTROL_HEADER, *PUSBPCAP_BUFFER_CONTROL_HEADER;
批量传输数据包头(USBPCAP_TRANSFER_BULK)
对应于批量传输的数据包头的数据类型恰恰为USBPCAP_BUFFER_PACKET_HEADER,没有额外字段。