Skip to content

Instantly share code, notes, and snippets.

Last active December 7, 2020 22:39
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
USB HID Decoding Tips

HID USB Decoding


This is a guide on how you can decode existing USB devices and protocols.

Wireshark with USBPcap

Wireshark makes it possible to trace and capture raw data from USB Devices

Useful filters

Use Filter
Vendor ID usb.idVendor = 0x04d8
Product ID usb.idProduct
Source usb.src == "1.11.1"
Destination usb.dst == "1.11.1"
Data Length usb.data_len > 0
Source or Destiniation usb.addr matches "^1.4


If you find know the Vendor/Product ID you can filter in wiresharp like

usb.idVendor = 0x04d8

After that filter you can look at the source/destination ie. 1.10.0 and set your filter similar to below to see the data being exchanged

usb.addr matches "^1.10" && usb.data_len > 0

this will return all traffic with content while exclusing the HID control events.

Fuzzy matching (regex)

partial match on strings with regular expressions

usb.src matches "^1.11" || usb.dst matches "^1.11"

matching on partial data 00ff000000ffff000000[:3] == 00:ff:00

More examples


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment