In a previous blog article "CCID USB spy using Wireshark" I documented how to use Wireshark to analyse USB CCID packets.
It is also possible to continue the packet decoding to show ISO 7816-4 format commands.
Raw USB packetsBy default you will get USB packets.
CCID packetsEnable the USBCCID decoder in the Wireshark menu Analyze -> Decode as...
00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00
ISO 7816 commandsNow enable the ISO 7816 decoder.
00 a4 04 00 0b a0 00 00 03 97 43 49 44 5f 01 00is a "Select file" (the second byte, INS byte, is 0xA4)
LimitationsNot all the CCID packets are decoded.
For example the Secure command (0x69) is not (yet) decoded.
This CCID Secure command is used with a pinpad reader to make the user enter its PIN code in the pinpad and not on the computer keyboard. See here for a list of pinpad readers working with my CCID driver.
The Secure command uses parameters to set the PIN padding, the messages displayed to the user, the min and max PIN lengths, the validation conditions and some other parameters. Not all pinpad readers support the same set of parameters so the situation is complex.
Windows supportIn my previous article "CCID USB spy using Wireshark" I make the USB trace acquisition on a GNU/Linux system.
This time I made the capture on Windows, saved the file on disk (.pcapng format) and used Wireshark on macOS to study the file. Yes, I prefer to NOT use Windows as much as possible.
So whatever the system you are using (GNU/Linux, macOS or Windows, and maybe others) Wireshark can help you.