Get the file :
# wget http://bostonkeyparty.net/challenge.pcapng.28c58da9dd07532d45aa68f9b825941e
# file challenge.pcapng.28c58da9dd07532d45aa68f9b825941e challenge.pcapng.28c58da9dd07532d45aa68f9b825941e: pcap-ng capture file - version 1.0
Lot of USB data inside:
# tshark -r challenge.pcapng.28c58da9dd07532d45aa68f9b825941e | head
1 0.000000000 host -> 1.0 64 USBHUB GET_STATUS Request
2 0.000011000 1.0 -> host 68 USBHUB GET_STATUS Response
3 0.074167000 host -> 12.0 64 USB GET DESCRIPTOR Request DEVICE
4 0.075077000 12.0 -> host 82 USB GET DESCRIPTOR Response DEVICE
5 0.150556000 host -> 1.0 64 USBHUB GET_STATUS Request
6 0.000015000 host -> 1.0 64 USBHUB GET_STATUS Request
Device [12.0] description:
DEVICE DESCRIPTOR
bLength: 18
bDescriptorType: DEVICE (1)
bcdUSB: 0x0200
bDeviceClass: Use class info in Interface Descriptor (0x00)
bDeviceSubClass: 0
bDeviceProtocol: 0
bMaxPacketSize0: 8
idVendor: 0x046d <---- Logitech Inc.
idProduct: 0xc00e <---- Logitech Optical Mouse,
bcdDevice: 0x1100
iManufacturer: 1
iProduct: 2
iSerialNumber: 0
bNumConfigurations: 1
( Ref: http://www.pcidatabase.com/vendor_details.php?id=1691)
Take sample data:
# tshark -r challenge.pcapng.28c58da9dd07532d45aa68f9b825941e 'usb.device_address == 12' -x
....
105 5.078857000 12.1 -> host 68 USB URB_INTERRUPT in
0000 c0 44 a9 c7 00 88 ff ff 43 01 81 0c 02 00 2d 00 .D......C.....-.
0010 7f 99 ea 54 00 00 00 00 93 3c 09 00 00 00 00 00 ...T.....<......
0020 04 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................
0030 08 00 00 00 00 00 00 00 04 02 00 00 00 00 00 00 ................
0040 00 01 00 00
....
Find tech spec:
struct mouse_report_t
{
uint8_t buttons;
int8_t x;
int8_t y;
int8_t wheel;
}
Write parser -> och it is on-screen keyboard:)
Enhance parser :
