v0.5
USB Capture
Capture traffic sent via Universal Serial Bus (USB) protocol
Live Capture
USB live capture is now possible, currently the following Audit Records exist: USB and USBRequestBlockSetup.
To capture USB traffic live on macOS, install wireshark and bring up the USB interface:
1
$ sudo ifconfig XHC20 up
Copied!
Now attach netcap and set baselayer to USB:
1
$ net.cap -iface XHC20 -base usb
Copied!
Offline from dumpfile
To read offline USB traffic from a PCAP file use:
1
$ net.cap -r usb.pcap -base usb
Copied!
Don't forget to set the -payload flag if you want to preserve the data being transmitted!
Audit Records
The USB and USBRequestBlockSetup audit records contain the following fields:
1
message USB {
2
string Timestamp = 1;
3
uint64 ID = 2;
4
int32 EventType = 3;
5
int32 TransferType = 4;
6
int32 Direction = 5;
7
int32 EndpointNumber = 6;
8
int32 DeviceAddress = 7;
9
int32 BusID = 8;
10
int64 TimestampSec = 9;
11
int32 TimestampUsec = 10;
12
bool Setup = 11;
13
bool Data = 12;
14
int32 Status = 13;
15
uint32 UrbLength = 14;
16
uint32 UrbDataLength = 15;
17
uint32 UrbInterval = 16;
18
uint32 UrbStartFrame = 17;
19
uint32 UrbCopyOfTransferFlags = 18;
20
uint32 IsoNumDesc = 19;
21
bytes Payload = 20;
22
}
23
​
24
message USBRequestBlockSetup {
25
string Timestamp = 1;
26
int32 RequestType = 2;
27
int32 Request = 3;
28
int32 Value = 4;
29
int32 Index = 5;
30
int32 Length = 6;
31
}
Copied!
�
Last modified 2yr ago
Copy link