killchain-compendium/Forensics/Wireshark.md

Wireshark

Extracting USB Keystrokes

• Data between USB devices and the host can be filtered via tshark in order to display just the payload, e.g. keystrokes in the following way

tshark -r keystrokes.pcapng -Y "usb.transfer_type==0x01 and frame.len==35 and! (usb.capdata == 00:00:00:00:00:00:00:00)" -T fields -e usbhid.data > output.txt

• A lookup table is needed to convert the USBHID data to ASCII values

python keystrokedecoder.py output.txt