15 lines
545 B
Markdown
15 lines
545 B
Markdown
# Wireshark
|
|
|
|
## Extracting USB Keystrokes
|
|
|
|
* Data between USB devices and the host can be filtered via tshark in order to display just the payload, e.g. keystrokes in the following way
|
|
```sh
|
|
tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt
|
|
```
|
|
|
|
* A lookup table is needed to [convert the USBHID data to ASCII values](https://gist.github.com/ImAnEnabler/091a9e1ee2d6a0805408e009e2f4a2b5)
|
|
```
|
|
python keystrokedecoder.py output.txt
|
|
```
|
|
|