2026-06-02

Wireshark USB Filters: Finding the Right Device with USBPcap, usbmon, and BusScope

How to filter USB captures by device, endpoint, transfer type, setup packet, interface, and timing when USBPcap or usbmon captures too much traffic.

wireshark usb filter, usbpcap, usbmon, usb capture, usb diagnostics

USB captures can become overwhelming fast. A machine may have a keyboard, mouse, webcam, Bluetooth adapter, storage device, serial adapter, security key, and internal hub active at the same time. When users search for "Wireshark USB filter", "USBPcap filter device", "usbmon filter endpoint", or "how to find my USB device in capture", they usually have the same problem: the capture contains too much traffic and not enough structure.

BusScope is built to make USB inspection more direct, but understanding the filtering problem is still useful. Whether the capture comes from USBPcap on Windows, usbmon on Linux, or another USB capture source, the key is to identify the device and then narrow the trace by address, endpoint, transfer type, and control request.

Start with enumeration

The easiest way to identify a USB device is to capture from plug-in. Enumeration contains descriptors that name the device, vendor ID, product ID, configurations, interfaces, endpoints, and class-specific details.

Look for:

  • Vendor ID
  • Product ID
  • Device descriptor
  • Configuration descriptor
  • Interface descriptors
  • Endpoint descriptors
  • String descriptors
  • SET_ADDRESS
  • SET_CONFIGURATION

If you start capture after the device is already running, you may only see endpoint traffic without the descriptor context. That makes filtering harder because endpoint numbers alone are not enough.

Device address can change

USB device addresses are assigned by the host during enumeration. If the device disconnects and reconnects, the address may change. A filter that worked for the first connection may miss the second connection.

This matters when debugging reset loops. If a device re-enumerates repeatedly, you may need to track multiple addresses in one capture. The product/vendor descriptors reveal that those addresses belong to the same physical device.

BusScope can help keep that relationship visible instead of forcing you to mentally stitch together address changes.

Filter by endpoint

After configuration, most data traffic uses endpoints. Endpoint zero is control. Other endpoints may be bulk, interrupt, or isochronous.

Common endpoint meanings:

  • 0x00: control OUT on endpoint zero
  • 0x80: control IN on endpoint zero
  • 0x81: endpoint 1 IN
  • 0x01: endpoint 1 OUT
  • 0x82: endpoint 2 IN
  • 0x02: endpoint 2 OUT

The direction bit matters. 0x81 and 0x01 are not the same endpoint direction. A serial adapter, for example, may use one bulk OUT endpoint for host-to-device data and one bulk IN endpoint for device-to-host data.

Endpoint filters are useful after you already know which endpoint carries the traffic you care about.

Filter by transfer type

Different USB problems live in different transfer types:

  • Control transfers: descriptors, configuration, class requests, vendor commands.
  • Bulk transfers: storage, serial data, vendor data, many capture devices.
  • Interrupt transfers: HID input, status notifications, low-latency reports.
  • Isochronous transfers: audio, video, time-sensitive streaming.

If a USB serial device opens but sends no data, inspect control transfers for line coding and control line state, then bulk endpoints for payload. If a webcam starts but video is corrupt, inspect isochronous transfers and alternate settings. If a HID device misbehaves, inspect interrupt transfers and report descriptors.

Filtering by transfer type reduces noise while keeping the relevant class of evidence.

Filter by setup packet

Control transfers include setup packets. Setup packets are extremely useful because they identify request direction, type, recipient, request code, value, index, and length.

Important examples include:

  • GET_DESCRIPTOR
  • SET_ADDRESS
  • SET_CONFIGURATION
  • SET_INTERFACE
  • CLEAR_FEATURE
  • HID GET_REPORT
  • HID SET_REPORT
  • CDC SET_LINE_CODING
  • CDC SET_CONTROL_LINE_STATE
  • Vendor-specific commands

When a device fails during setup, the setup packet often tells you exactly which request triggered the problem.

USBPcap capture selection on Windows

On Windows, USBPcap captures from USB host controllers. If a machine has multiple controllers, choosing the wrong one may produce a capture with no target device traffic.

A practical workflow:

  1. Unplug the target device.
  2. Start capture on the likely controller.
  3. Plug in the device.
  4. Look for enumeration descriptors.
  5. If nothing appears, try another controller capture.
  6. Once the device is found, keep the capture around as a reference.

BusScope's value is to make this workflow less opaque: the target is the USB device conversation, not just a huge packet list.

usbmon capture on Linux

On Linux, usbmon exposes USB bus traffic. The bus number matters. A device listed as Bus 003 Device 012 belongs to bus 3 at that moment. After reconnect, the device number may change.

The most useful capture starts before plug-in, because enumeration reveals the device identity. If permission blocks capture, solve that first; otherwise you may only see application-level failure and never see USB evidence.

Common filtering mistakes

Avoid these mistakes:

  • Filtering only after the failure, missing enumeration.
  • Assuming device address is stable across reconnects.
  • Confusing endpoint direction.
  • Ignoring endpoint zero control traffic.
  • Looking only at payload packets and missing class requests.
  • Treating all vendor-specific requests as noise.
  • Filtering out resets and errors too early.
  • Ignoring the hub and port context.

A clean filter is useful only if it preserves the failure.

What to keep in an investigation capture

For a report you can share with a firmware, driver, or QA team, keep:

  • The initial enumeration.
  • The target device descriptors.
  • The configuration and interface selected by the host.
  • The class or vendor-specific requests before failure.
  • The endpoint traffic involved in the failure.
  • The reset, stall, timeout, or disconnect event.
  • Enough timing context to show whether the failure is immediate, idle-related, or load-related.

That evidence is stronger than a screenshot of "device not recognized."

Final diagnosis

USB filtering is not just about hiding noise. It is about preserving the packet sequence that explains the failure. Start from enumeration, identify the device, follow address changes, narrow by endpoint and transfer type, and keep control requests visible.

BusScope is meant to support that workflow: find the real USB conversation quickly, then inspect the bus-level evidence that explains why the device works, stalls, resets, or disappears.