Hi, I want to capture the USB traffic for my app running on High Sierra. I brought the if XHC20 up and can capture the traffic using Wireshark nightly builds. But I only see incoming traffic (from device to host) but not the other direction. Any ideas what is going wrong here?
Starting the IF:
> sudo ifconfig XHC20 up
After that I can select the IF in Wireshark and start capturing packets.
I can see incoming traffic from attached devices but not the outbound messages.
With macOS High Sierra you can use Wireshark to capture USB traffic. The interface needs to be manually brought up/down to enable/disable packet capture for the specific controller via ifconfig (where you can also see a list of available interfaces). I don’t believe there is a “released” version of Wireshark with this support yet but you can download a nightly build here: https://www.wireshark.org/download/automated/osx/.
The capture interfaces are named based on the underlying controller type followed by the bus number:
$ ifconfig
EHC26: flags=0<> mtu 0
XHC20: flags=0<> mtu 0
EHC29: flags=0<> mtu 0
+-o XHC1@14000000 <class AppleUSBXHCILPTH, id 0x10000029c, registered, matched, active, busy 0 (1179 ms), retain 128>
+-o EHC2@1a000000 <class AppleUSBEHCIPCI, id 0x1000002a4, registered, matched, active, busy 0 (400 ms), retain 80>
+-o EHC1@1d000000 <class AppleUSBEHCIPCI, id 0x1000002dd, registered, matched, active, busy 0 (330 ms), retain 80>
The format above is <name>@<location> where the most significant byte of the location is the bus number. For example, if the device your interested in is connected to the XHCI controller XHC1@14000000 then you would enable packet capture via "sudo ifconfig XHC20 up” and disable via “sudo ifconfig XHC20 down”. Once the interface is up then Wireshark will be able to capture/decode/filter USB traffic for that controller.