I'm currently trying to analyse incoming USB traffic using USBPcap + Python/dpkt, with an optical USB-mouse as an example input device.
After launching batch file containing the command
USBPcapCMD.exe -d \\.\USBPcap7 -o - | pipetest.py
the following code works perfectly:
# pipetest.py
# sniffing for USB-mouse activities
import sys
import dpkt, struct
try:
f = open('c:\\users\\user\\downloads\\test.pcap','wb')
while True:
inpt = sys.stdin.read(34) # package length
f.write(inpt)
except KeyboardInterrupt:
f.close()
f = open('c:\\users\\user\\downloads\\test.pcap','rb')
pcap = dpkt.pcap.Reader(f)
print
for ts, buf in pcap:
data = struct.unpack("b"*7, buf[-7:]) # 7-byte leftover with mouse info
print data
f.close()
Output is:
34
34
34
34
34
34
34
34
34
34
34
34
^C
(3, 4, 0, 0, 0, 0, 0) <---|
(3, 0, 0, 0, 0, 0, 0) |
(3, 4, 0, 0, 0, 0, 0) <---|
(3, 0, 0, 0, 0, 0, 0) |------ Four clicks with mouse wheel
(3, 4, 0, 0, 0, 0, 0) <---|
(3, 0, 0, 0, 0, 0, 0) |
(3, 4, 0, 0, 0, 0, 0) <---|
(0, 0, 0, 9, 0, 1, 7)
Unfortunately, I've got a problem with LIVE analysis of captured data. How can I get dpkt.pcap.Reader() to work with sys.stdin instead of open('foo.pcap')?
P.S. I surely can do
USBPcapCMD.exe -d \\.\USBPcap2 -o - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -
as shown in official mini-tutorial but I would like to perform real-time USB traffic using USB sniffer + Python.
P.P.S. Python/PyUSB + libusb-win32 works perfectly but I do need USBPcap! :)
