WinUSB application or User-Mode Driver as a filter driver for USB Analysis/Sniffer/Trending

Question

A question to maybe some who have worked extensively with WinUSB APIs or use mode USB drivers - Does anyone know if the WinUSB API or a user mode driver can be used as a passive observer of USB connections, capturing notification of interrupts, control requests, data transfers...etc without interfering with other applications (such as iTunes) which would obviously require concurrent access to the device at the same time my application is monitoring the connection and displaying data on it?

Or do you pretty much have to write a kernel-mode filter driver and inject yourself in the USB stack in order to make that happen?

In the past, there have been a few credible options (libusb-win32 and usbsnoop to be specific) though both are built around the old DDK, not the Windows Driver Foundation, and are not really supported on a regular basis any more. I'm hesitant to build something significant around them, as a result.

Answer 1

You must write filter driver. There is no other way to intercept traffic generated by other devices. And you can use newer versions of DDK i.e KMDF for this task it will make your life easier. But i think it will be more cheap and effective just to get hardware bus analyzer. There is good overview by OSR here, you must signed in to read this, but i strongly advice to sign in any way if you are going to do any kernel mode development.

Answer 2

The core usb drivers in win7 have ETW trace points so you can sniff traffic that way ( http://blogs.msdn.com/b/usbcoreblog/archive/2009/12/04/etw-in-the-windows-7-usb-core-stack.aspx ) but it is a bit kludgy and has some limitations like only tracing the first 32 bytes of each packet.

I have made a USB filter driver (KMDF) that is pretty easy to use (IMHO): http://code.google.com/p/busdog/