USB / PTP

Interface
D5100 camera is represented by USB bus device with product ID 0x0429 vendor ID 0x04B0 (Nikon) and release number 0x0100 and is USB 2.0 compatible. It acts as USB function and implements MTP/PTP protocol with 4 endpoints. Additionally DPS service is implemented on top of PTP that allow usage of PictBridge printer (which acts as USB host).

PTP / MTP Links

 * https://en.wikipedia.org/wiki/Picture_Transfer_Protocol
 * http://www.usb.org/developers/devclass_docs/usb_still_img10.pdf
 * https://en.wikipedia.org/wiki/Media_Transfer_Protocol
 * http://download.microsoft.com/download/f/1/3/f13df1a5-6ce4-4907-86a0-6ce5c3560639/MTP_Enhanced.exe
 * http://www.usb.org/developers/devclass_docs/MTP_1.0.zip
 * http://photopc.sourceforge.net/
 * http://www.gphoto.org/
 * http://www.camerahacker.com/Forums/SDK/
 * http://chdk.wikia.com/wiki/PTP_Extension
 * http://libptp.sourceforge.net/
 * http://magiclantern.wikia.com/wiki/PTP
 * http://magiclantern.wikia.com/wiki/Remote_control_with_PTP_and_Python

DPS / Pictbridge Links

 * http://www.cipa.jp/pictbridge/documents_e/WhitePaperE_Rev.2.0.pdf
 * http://www.uquest.co.jp/embedded/columns/PictBridge.pdf

Wireshark
Wireshark has built in USB capture and decode. Using current vanilla release of Wireshark you can only capture in Linux. Hopefully, on Windows XP and later you can use http://desowin.org/usbpcap to create PCAP file. Once you've created a PCAP file, you can do the analysis with Wireshark. Please note that you have to use patched version of Wireshark to analyse the file created by USBPcap. There is also a command line version of wireshark

Linux Host
From a Linux box you can capture USB packets directly using Wireshark. As of version 1.9.1 the PTP/MTP dissector is not part of the normal distribution. Please see Wireshark PTP Support for install / download details. This page has good details on the VMWare setup.

Once you have wireshark installed run Windows inside a Virtual machine such as VirtualBox or VMWare Player.

Windows Host
You can use Windows as a host when using VMWare as a guest. VMWare has a built in USB logging feature which you can convert into PCAP files using this conversion script http://esec-lab.sogeti.com/post/2011/04/06/Sniffing-USB-traffic-with-VMWare


 * https://blogs.msdn.com/b/usbcoreblog/archive/2009/12/04/etw-in-the-windows-7-usb-core-stack.aspx?Redirected=true
 * https://blogs.msdn.com/b/usbcoreblog/archive/2009/12/21/answering-the-question-what-s-wrong-with-my-device-using-usb-etw.aspx?Redirected=true
 * https://blogs.msdn.com/b/usbcoreblog/archive/2012/08/07/how-to-trace-usb-3-activity.aspx?Redirected=true

However, the script seems to be out of date, had to edit it slightly to get it to parse :

VMWare Analyzer
There is another open source utility that analyzes USB traffic from VMWare logs. There is no native PTP/MTP support.

http://vusb-analyzer.sourceforge.net/tutorial.html
 * Can record from Windows or Linux Host w/ Windows Slave
 * Analysis Tool seems to require Linux. On ubuntu I had to install the 'python-gnome2' package (http://dan3lmi.blogspot.com/2012/10/sniffing-usb-traffic-different.html)

Of course you could always create an Ubuntu virtual machine just for this or other hacking.

The system version is the same found on Source Forge. It appears to not parse the newest log files coming from VMWare Player. Instead there is a git version that does work for me at https://github.com/vpelletier/vusb-analyzer