USB Capture
Capture traffic sent via Universal Serial Bus (USB) protocol
USB live capture is now possible, currently the following Audit Records exist: USB and USBRequestBlockSetup.
To capture USB traffic live on macOS, install wireshark and bring up the USB interface:
$ sudo ifconfig XHC20 up
Now attach netcap and set baselayer to USB:
$ net.cap -iface XHC20 -base usb
To read offline USB traffic from a PCAP file use:
$ net.cap -r usb.pcap -base usb
Don't forget to set the -payload flag if you want to preserve the data being transmitted!
The USB and USBRequestBlockSetup audit records contain the following fields:
message USB {
string Timestamp = 1;
uint64 ID = 2;
int32 EventType = 3;
int32 TransferType = 4;
int32 Direction = 5;
int32 EndpointNumber = 6;
int32 DeviceAddress = 7;
int32 BusID = 8;
int64 TimestampSec = 9;
int32 TimestampUsec = 10;
bool Setup = 11;
bool Data = 12;
int32 Status = 13;
uint32 UrbLength = 14;
uint32 UrbDataLength = 15;
uint32 UrbInterval = 16;
uint32 UrbStartFrame = 17;
uint32 UrbCopyOfTransferFlags = 18;
uint32 IsoNumDesc = 19;
bytes Payload = 20;
}
message USBRequestBlockSetup {
string Timestamp = 1;
int32 RequestType = 2;
int32 Request = 3;
int32 Value = 4;
int32 Index = 5;
int32 Length = 6;
}
�
Last modified 3yr ago