USB pocket analyze

第一次做usb数据分析，记录一下

http://wiki.wireshark.org/USB

http://www.beyondlogic.org/usbnutshell/usb4.shtml#Interrupt

Hut1_12v2.pdf

对于usehid.data

第一字节0x02或者0x20，表示shift键被按

第三字节为press key code，对照如下python代码。

解题思路是通过Description Response  Device包确定设备为keyword，查找usb keyword 地址，然后用

tshark -r xxx.pcap -Y 'usb.src == "usb keyword.addr"'  -T fields -e usbhid.data | grep -v 0000000000000000 dump数据。

可以使用-T json查看完整数据包。

#!/usr/bin/env python3

# run this before the script : `tshark -r access_cards.pcap -Y 'usb.src == "1.16.1"' -T fields -e usbhid.data | grep -v 0000000000000000 > data.dat `

# This is the name of the file that contains the HID data. A line should look like `030000000000000000`

file_name = "data.dat"

# This should cover the most common key codes

MappingN = {}

MappingS = {}

MappingN[4] = "a";          MappingS[4] = "A"

MappingN[5] = "b";          MappingS[5] = "B"

MappingN[6] = "c";          MappingS[6] = "C"

MappingN[7] = "d";          MappingS[7] = "D"

MappingN[8] = "e";          MappingS[8] = "E"

MappingN[9] = "f";          MappingS[9] = "F"

MappingN[10] = "g";          MappingS[10] = "G"

MappingN[11] = "h";          MappingS[11] = "H"

MappingN[12] = "i";          MappingS[12] = "I"

MappingN[13] = "j";          MappingS[13] = "J"

MappingN[14] = "k";          MappingS[14] = "K"

MappingN[15] = "l";          MappingS[15] = "L"

MappingN[16] = "m";          MappingS[16] = "M"

MappingN[17] = "n";          MappingS[17] = "N"

MappingN[18] = "o";          MappingS[18] = "O"

MappingN[19] = "p";          MappingS[19] = "P"

MappingN[20] = "q";          MappingS[20] = "Q"

MappingN[21] = "r";          MappingS[21] = "R"

MappingN[22] = "s";          MappingS[22] = "S"

MappingN[23] = "t";          MappingS[23] = "T"

MappingN[24] = "u";          MappingS[24] = "U"

MappingN[25] = "v";          MappingS[25] = "V"

MappingN[26] = "w";          MappingS[26] = "W"

MappingN[27] = "x";          MappingS[27] = "X"

MappingN[28] = "y";          MappingS[28] = "Y"

MappingN[29] = "z";          MappingS[29] = "Z"

MappingN[30] = "1";          MappingS[30] = "!"

MappingN[31] = "2";          MappingS[31] = "@"

MappingN[32] = "3";          MappingS[32] = "#"

MappingN[33] = "4";          MappingS[33] = "$"

MappingN[34] = "5";          MappingS[34] = "%"

MappingN[35] = "6";          MappingS[35] = "^"

MappingN[36] = "7";          MappingS[36] = "&"

MappingN[37] = "8";          MappingS[37] = "*"

MappingN[38] = "9";          MappingS[38] = "("

MappingN[39] = "0";          MappingS[39] = ")"

MappingN[40] = "Enter";      MappingS[40] = "Enter"

MappingN[41] = "esc";        MappingS[41] = "esc"

MappingN[42] = "del";        MappingS[42] = "del"

MappingN[43] = "tab";        MappingS[43] = "tab"

MappingN[44] = "space";      MappingS[44] = "space"

MappingN[45] = "-";          MappingS[45] = "_"

MappingN[46] = "=";          MappingS[46] = "+"

MappingN[47] = "[";          MappingS[47] = "{"

MappingN[48] = "]";          MappingS[48] = "}"

MappingN[49] = "\\";        MappingS[49] = "|"

MappingN[50] = " ";          MappingS[50] = " "

MappingN[51] = ";";          MappingS[51] = ":",

MappingN[52] = "'";          MappingS[52] = "\\"

MappingN[53] = "`";          MappingS[53] = "~"

MappingN[54] = ",";          MappingS[54] = "<"

MappingN[55] = ".";          MappingS[55] = ">"

MappingN[56] = "/";          MappingS[56] = "?"

MappingN[57] = "CapsLock";  MappingS[57] = "CapsLock"

MappingN[79] = "RightArrow"; MappingS[79] = "RightArrow"

MappingN[80] = "LeftArrow";  MappingS[80] = "LeftArrow"

MappingN[84] = "/";          MappingS[84] = "/"

MappingN[85] = "*";          MappingS[85] = "*"

MappingN[86] = "-";          MappingS[86] = "-"

MappingN[87] = "+";          MappingS[87] = "+"

MappingN[88] = "Enter";      MappingS[88] = "Enter"

MappingN[89] = "1";          MappingS[89] = "1"

MappingN[90] = "2";          MappingS[90] = "2"

MappingN[91] = "3";          MappingS[91] = "3"

MappingN[92] = "4";          MappingS[92] = "4"

MappingN[93] = "5";          MappingS[93] = "5"

MappingN[94] = "6";          MappingS[94] = "6"

MappingN[95] = "7";          MappingS[95] = "7"

MappingN[96] = "8";          MappingS[96] = "8"

MappingN[97] = "9";          MappingS[97] = "9"

MappingN[98] = "0";          MappingS[98] = "0"

MappingN[99] = ".";          MappingS[99] = "."

# capslock default is off

capslock = 0

# shift key is press

shift = 0

# This will contain the converted characters

out = list()

# Do a barrel roll

with open(file_name, "rb") as f:

    line = f.readline()

    while line:

        shift_flag = int(line[0:2], 16)

        idx = int(line[4:6], 16)

        # abnomal index handler

        if idx < 4 or idx > 99:

            line = f.readline()

            continue

          # caplock turn on / off

        if idx == 57:

            capslock = capslock ^ 1

            line = f.readline()

            continue

          # shift press check 

        shift = shift_flag & 0x02 or shift_flag

        # alpha capslock deal

        if MappingN[idx].isalpha():

            if (capslock ^ shift) == 0:

                c = MappingN[idx]

            else:

                c = MappingS[idx]

        #other character does't consider capslock.eg.01234#/

        else:

            if shift == 0:

                c = MappingN[idx]

            else:

                c = MappingS[idx]

        out += c

        line = f.readline()

# Spit it out

print("".join(out))