USB sniffer for Windows 98, 98SE, 2000 and Windows XP

Programs Speedtouch Project Snoopy Project eciadsl Project The bread recipe Source Mage BeOS My resume My blog Notes Donation
Speedtouch Project
Snoopy Project
eciadsl Project
The bread recipe
Source Mage
My resume
My blog
en fr

Use of the USB sniffer

Benoît Papillault, 2003-05-21


This documentation is about the 1.8 version of the USB sniffer. This software is put under the GPL license and downloadable on this web site. This version is working with Windows 98, Windows 98 SE, Windows 2000 and Windows XP. This version may work with other versions of Windows, but has not been tested. This version no longer use the tool dbgview.exe, which was used in earlier versions.

By reading this document, you should be able to record USB exchanges between a USB device and your Windows system (more exactly, with the driver of your USB device). You can find a detailed description of the USB protol of the web site:


The USB sniffer is released under either source code form or precompiled binary form. In the case you are using the source code, once compiled, you will get the binary executable whose name is SniffUSB.exe. In the case of a precompiled binary, you need to download a .zip file which will contains this very same binary.

There is no specific install procedure. You just need to copy the file SniffUSB.exe in a directory of your choice.

First use

The file SniffUSB.exe contains driver which will be installed according to your system when you run SniffUSB.exe for the first time.

First of all, the USB sniffeur will display a message with the detected system. In fact, a different driver is used for Windows 2000/XP on one side and for Windows 98 on the other side.

System detection

A dialog box will ask you for confirmation before copying the file usbsnoop.sys into your system directory (more exactly, this directory is c:\windows\system32\drivers). Once the file has been copied, a dialog box will inform you that the copy has been successfull.

Confirmation dialog

Copy successfull

Selection of the USB device

The USB sniffer application is dialog based. In the center, a list of USB device known to Windows is displayed (not all those USB device may be present). In order to accomodate for a variable number of USB device present in your system, the dialog box can be resized at will. As USB devices are designed to be plugged in and plugged out at any moment, the dialog box content is updated once a second.

Main dialog

To select the USB device you want to sniff, you have to select the coresponding line and press the Install button. From now on, the recording of USB exchanges between this USB device and the system will be activated as soon as the device is plugged in.

Starting the recording

In practice, you can start recording in either two ways:
  • software way

    This is an experimental method, but if it's working, its advantage is to avoid to move to get the selected USB cable and plugged it out and in again. To use this method, you need to press the Replug button (maybe you need to press it twice).

  • hardware way

    This method is the only reliable method. To use this method, you need to unplug and replug the selected USB device.

When the recording starts, the field Log size should increment. A -1 value means that the log file is absent.

Stopping the recording

To stop recording, you need to:
  • Select the USB device
  • Press the Uninstall button
  • Unplug the USB device or press the Replug button. This later point is not reliable as said in the previous paragraph.
The size of the log file should stop incrementing.

Reading the log file

To read the log file, press the View button. This will automatically launch the program associated with the .log extension. The author's advice is to associate this extension to GNU Emacs editor.

Deleting the log file

The log file take a huge amount of disk space and, moreover, this file is created inside the windows directory (the exact file name appears in the field Log filename). To delete it, just press the Delete button.
Valid XHTML 1.0! CSS Valide !
Benoît Papillault