USB Capture
Capture traffic sent via Universal Serial Bus (USB) protocol
USB live capture is now possible, currently the following Audit Records exist: USB and USBRequestBlockSetup.
To capture USB traffic live on macOS, install wireshark and bring up the USB interface:
$ sudo ifconfig XHC20 up
Now attach netcap and set baselayer to USB:
$ net.cap -iface XHC20 -base usb
To read offline USB traffic from a PCAP file use:
$ net.cap -r usb.pcap -base usb
Don't forget to set the -payload flag if you want to preserve the data being transmitted!
The USB and USBRequestBlockSetup audit records contain the following fields:
message USB {string Timestamp = 1;uint64 ID = 2;int32 EventType = 3;int32 TransferType = 4;int32 Direction = 5;int32 EndpointNumber = 6;int32 DeviceAddress = 7;int32 BusID = 8;int64 TimestampSec = 9;int32 TimestampUsec = 10;bool Setup = 11;bool Data = 12;int32 Status = 13;uint32 UrbLength = 14;uint32 UrbDataLength = 15;uint32 UrbInterval = 16;uint32 UrbStartFrame = 17;uint32 UrbCopyOfTransferFlags = 18;uint32 IsoNumDesc = 19;bytes Payload = 20;}​message USBRequestBlockSetup {string Timestamp = 1;int32 RequestType = 2;int32 Request = 3;int32 Value = 4;int32 Index = 5;int32 Length = 6;}
�
Last updated 1 year ago