USB Capture

Search…
USB Capture
Capture traffic sent via Universal Serial Bus (USB) protocol
Live Capture
USB live capture is now possible, currently the following Audit Records exist: USB and USBRequestBlockSetup.
To capture USB traffic live on macOS, install wireshark and bring up the USB interface:
$ sudo ifconfig XHC20 up
Now attach netcap and set baselayer to USB:
$ net.cap -iface XHC20 -base usb
Offline from dumpfile
To read offline USB traffic from a PCAP file use:
$ net.cap -r usb.pcap -base usb
Don't forget to set the -payload flag if you want to preserve the data being transmitted!
Audit Records
The USB and USBRequestBlockSetup audit records contain the following fields:
message USB {
    string      Timestamp                 = 1;
    uint64      ID                        = 2;
    int32       EventType                 = 3;
    int32       TransferType              = 4;           
    int32       Direction                 = 5;           
    int32       EndpointNumber            = 6;
    int32       DeviceAddress             = 7;
    int32       BusID                     = 8; 
    int64       TimestampSec              = 9; 
    int32       TimestampUsec             = 10;
    bool        Setup                     = 11;
    bool        Data                      = 12;
    int32       Status                    = 13;
    uint32      UrbLength                 = 14;
    uint32      UrbDataLength             = 15;
    uint32      UrbInterval               = 16;
    uint32      UrbStartFrame             = 17;
    uint32      UrbCopyOfTransferFlags    = 18;
    uint32      IsoNumDesc                = 19;
    bytes       Payload                   = 20;
}
​
message USBRequestBlockSetup {
    string Timestamp   = 1; 
    int32  RequestType = 2;
    int32  Request     = 3;
    int32  Value       = 4;
    int32  Index       = 5;
    int32  Length      = 6;
}
HTTP Proxy
Payload Capture
Last modified 2yr ago
Copy link
Outline
Live Capture
Offline from dumpfile
Audit Records