NETCAP
OverviewGitHubHomepageGoDoc
v0.5
v0.5
  • Overview
  • Audit Records
  • Specification
  • Installation
    • Kali Linux
  • Quickstart
  • Configuration
  • Bash Completion
  • Packet Collection
  • Audit Record Labeling
  • HTTP Proxy
  • USB Capture
  • Payload Capture
  • Distributed Collection
  • Workers
  • Filtering and Export
  • Data Compression
  • Internals
  • Metrics
  • Resolvers
  • TLS Fingerprinting
  • Reassembly
  • Deep Packet Inspection
  • Live Capture
  • Maltego Integration
  • Logging
  • Packet Contexts
  • Industrial Control Systems
  • File Extraction
  • Email Extraction
  • Device Profiles
  • Python Integration
  • Changelog
  • Troubleshooting
  • Unit Tests
  • Extension
  • Downloads
  • Docker Containers
  • FAQ
  • Contributing
  • License
Powered by GitBook
On this page
  • Live Capture
  • Offline from dumpfile
  • Audit Records

USB Capture

Capture traffic sent via Universal Serial Bus (USB) protocol

Live Capture

USB live capture is now possible, currently the following Audit Records exist: USB and USBRequestBlockSetup.

To capture USB traffic live on macOS, install wireshark and bring up the USB interface:

$ sudo ifconfig XHC20 up

Now attach netcap and set baselayer to USB:

$ net.cap -iface XHC20 -base usb

Offline from dumpfile

To read offline USB traffic from a PCAP file use:

$ net.cap -r usb.pcap -base usb

Don't forget to set the -payload flag if you want to preserve the data being transmitted!

Audit Records

The USB and USBRequestBlockSetup audit records contain the following fields:

message USB {
    string      Timestamp                 = 1;
    uint64      ID                        = 2;
    int32       EventType                 = 3;
    int32       TransferType              = 4;           
    int32       Direction                 = 5;           
    int32       EndpointNumber            = 6;
    int32       DeviceAddress             = 7;
    int32       BusID                     = 8; 
    int64       TimestampSec              = 9; 
    int32       TimestampUsec             = 10;
    bool        Setup                     = 11;
    bool        Data                      = 12;
    int32       Status                    = 13;
    uint32      UrbLength                 = 14;
    uint32      UrbDataLength             = 15;
    uint32      UrbInterval               = 16;
    uint32      UrbStartFrame             = 17;
    uint32      UrbCopyOfTransferFlags    = 18;
    uint32      IsoNumDesc                = 19;
    bytes       Payload                   = 20;
}

message USBRequestBlockSetup {
    string Timestamp   = 1; 
    int32  RequestType = 2;
    int32  Request     = 3;
    int32  Value       = 4;
    int32  Index       = 5;
    int32  Length      = 6;
}

PreviousHTTP ProxyNextPayload Capture

Last updated 5 years ago