Capturing USB traffic with Wireshark (Catalina)

A related thread in this forum shows that the USB hubs are exposed as interfaces that can be brought up and down with the ifconfig utility. However, it seems that these interfaces are no longer available in Catalina.


Has something fundamentally changed with Catalina that would break USB captures? Is there another known method for enabling these interfaces in such a way that Wireshark will recognize them? Maybe a new system policy setting ... ?

I’m not a USB expert, but this loss of functionality is a worry so I discussed it with my colleagues who are. It seems that this support is now disabled by default. To get it back, you have to disable SIP. See System Integrity Protection Guide for instructions on doing that.

IMPORTANT It’s best to avoid disabling SIP on computers you care about. My recommendation is that you keep SIP enabled on your main computer and do this work on a ‘victim’ machine.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

OK. Thanks for your reply. That certainly clears things up. I will give it a try, and while not ideal, it's good that it's possible to get this functionality back. Perhaps it would be possible to have a "csrutil" flag like the enable dtrace option etc.


Many thanks for investigating this.


Celso

Perhaps it would be possible to have a

csrutil
flag …

If you want to get this request in front of the people who have the power to actually make changes, you should file an enhancement request.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I will do.


Many thanks. Celso

As promised, there is the bug id: FB7429319


Celso

Is there any update on FB7429319? Will this get implemented in some future update?

Is there any update on FB7429319?

Nothing to report, alas.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I also filed a report on this, referring to the one above.

I filed a report as well, because for obvious reasons completely disabling SIP is not an option on production machines. Bug ID FB8326129
Has anyone tried if this still works in Mojave or BigSur?
This does work in BigSur, just make sure you reboot completely after doing csrutil disable in recovery mode. You can use csrutil status to inquire the status when not in recovery mode.

Ultimately I'm trying to capture enough information to understand why I keep getting current over-limit warnings from external seagate self-powered drives connected through a powered USB Hub:

Code Block
[ 951.004175]: 000951.004174 AppleUSB30HubPort@14814300: AppleUSBHostPort::interruptOccurred: overcurrent detected with port status 0x4000, localSimulatedInterrupts = 0x1
[ 951.092063]: 000951.092062 AppleUSB20HubPort@14114300: AppleUSBHostPort::interruptOccurred: overcurrent detected with port status 0x0, localSimulatedInterrupts = 0x1


I also put in a bug report: FB14365299

Capturing USB traffic with Wireshark (Catalina)
 
 
Q