7 Replies
      Latest reply on Oct 24, 2019 10:02 AM by eskimo
      Lufthummel Level 1 Level 1 (0 points)

        Hi,  I want to capture the USB traffic for my app running on High Sierra. I brought the if XHC20 up and can capture the traffic using Wireshark nightly builds. But I only see incoming traffic (from device to host) but not the other direction. Any ideas what is going wrong here?

         

        Starting the IF:

         

        > sudo ifconfig XHC20 up

        After that I can select the IF in Wireshark and start capturing packets.

        I can see incoming traffic from attached devices but not the outbound messages.

        • Re: Capturing USB traffic
          YuchenTech Level 1 Level 1 (0 points)

          hi, I also have this problem. I can only see device to host, can not see host to device package.

            • Re: Capturing USB traffic
              kewal.deshpande Level 1 Level 1 (0 points)

              We are also trying to connect a accessory to Apple device(host) , looking for USB enumeration packets exchanged between Apple device and accessory before MFi authentication. Are we in right direction?

              (We are expecting enumeration to happen before authentication, while in USB host mode audio enumeration happens after authentication)

            • Re: Capturing USB traffic
              gc. Apple Staff Apple Staff (255 points)

              With macOS High Sierra you can use Wireshark to capture USB traffic.  The interface needs to be manually brought up/down to enable/disable packet capture for the specific controller via ifconfig (where you can also see a list of available interfaces).  I don’t believe there is a “released” version of Wireshark with this support yet but you can download a nightly build here: https://www.wireshark.org/download/automated/osx/.

               

              The capture interfaces are named based on the underlying controller type followed by the bus number:

               

              $ ifconfig
              EHC26: flags=0<> mtu 0
              XHC20: flags=0<> mtu 0
              EHC29: flags=0<> mtu 0

               

               

              $ ioreg -w0 -rc AppleUSBHostController

               

              +-o XHC1@14000000  <class AppleUSBXHCILPTH, id 0x10000029c, registered, matched, active, busy 0 (1179 ms), retain 128>

              +-o EHC2@1a000000  <class AppleUSBEHCIPCI, id 0x1000002a4, registered, matched, active, busy 0 (400 ms), retain 80>

              +-o EHC1@1d000000  <class AppleUSBEHCIPCI, id 0x1000002dd, registered, matched, active, busy 0 (330 ms), retain 80>

               

              The format above is <name>@<location> where the most significant byte of the location is the bus number.  For example, if the device your interested in is connected to the XHCI controller XHC1@14000000 then you would enable packet capture via "sudo ifconfig XHC20 up” and disable via “sudo ifconfig XHC20 down”.  Once the interface is up then Wireshark will be able to capture/decode/filter USB traffic for that controller.