Another day and another interesting PCAP capture. Have you ever thought that USB keyboards could also reveal a lot of activity and user behavior? We will look at such scenarios in the upcoming chapters, but for now, let's prepare for it. I found an interesting packet-capture file from https://github.com/dbaser/CTF-Write-ups/blob/master/picoCTF-2017/for80-just_keyp_trying/data.pcap. However, on downloading the PCAP file and loading it in Wireshark, I got the following:
Well, I have not seen anything like this, but we know that this is USB data. We can also see that the leftover column contains some bytes. This is the data of interest; let's use tshark to harvest this data by running the tshark –r [path to the file] as follows:
Let's only print the leftover data, using the usb.capdata field:
We can see that we have only one or...
