Wireshark better at decoding CCID protocol

In 2014 I wrote CCID USB spy using Wireshark to show how to use Wireshark to dissect CCID frames. CCID is the protocol used to communicate to a USB smart card reader.

Some frames were not dissected correctly or not dissected at all so it was not easy to understand what was hapenning. In the present case the CCID frames Set Parameters and the reader answer were not dissected.

I submitted a Wireshark patch to allow the decoding of these CCID frames. My merge request is available at https://gitlab.com/wireshark/wireshark/-/merge_requests/8994 and has been merged upstream.

Before

Using Wireshark 4.0.6 from Debian 12 bookworm (Debian stable when I write this) I have:

  • for the command PC_to_RDR_SetParameters sent to the reader:

/images/2023/08/wireshark_before1.png

The data in abProtocolDataStructure (5 bytes in this case) are displayed as an hex dump (Data: 1100000a00). But you do not get more information.

  • for the answer RDR_to_PC_Parameters from the reader:

/images/2023/08/wireshark_before2.png

Here the data in abProtocolDataStructure are not even displayed in hex.

After

You need to use the development release 4.1.0 of Wireshark to have my patch included. I will use the macOS version of Wireshark just because I can. You then have (for the same USB traffic dump):

  • for the command PC_to_RDR_SetParameters sent to the reader:

/images/2023/08/wireshark_after1.png

The 5 bytes of abProtocolDataStructure are dissected.

Protocol Data Structure for Protocol T=0
    Fi/Di selecting clock rate: 0x11
    Convention used: 0x00
    Extra Guardtime between two characters: 0x00
    WI for T= 0 used to define WWT: 0x0a
    ICC Clock Stop Support: 0x00
  • for the answer RDR_to_PC_Parameters from the reader:

/images/2023/08/wireshark_after2.png

Again the 5 bytes of abProtocolDataStructure are also dissected.

In this case the 5 bytes are identical in the command and the answer since the reader replies with what is acceptable for it.

Conclusion

I used Wireshark to study the USB CCID communication on Windows. I needed to have the PC_to_RDR_SetParameters dissected to know what the Windows driver was sending as configuration.

It was my first Wireshark patch and merge request. The code was easier to modify than I planned. Great Free Software programs are easy to modify and that is a real pleasure to work with such Free Software projects. I could not have done that with a proprietary software.