summaryrefslogblamecommitdiffstats
path: root/docs/forensics/USB_Packet_Capture.txt
blob: cef21a26db86cfdd42366f0f54e7ba31b46116b7 (plain) (tree) 
2e9dccb























81a9656

2e9dccb

81a9656





















































































2e9dccb

81a9656
























1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

24

25

26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

111

112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135























                                                                                 
                                                                                
 




















































































                                                              
 























                                                              
Keyboards
=========

To disect what a keyboard was typing from a USB pcap file, refer to the
"Leftover Capture Data" (as Wireshark calls it).  This field will contain
bytes describing pressed keys (scancodes), including modifier keys.

At the time of writing this, my understanding of the data format is still a
little limited.  So, this is just what I know.  Update it, over time.

First byte of Leftover Data will contain any modifier keys.  I've seen 0x20 and
0x02 both mean Shift (perhaps one is left and one is right).

Starting 3 bytes in to the data (that is, offset 2), there will be codes for any
other pressed keys.  Their meanings are in the table below.  You may see multiple
bytes here.  As best I can tell, these are just multiple keys being pressed at
the same time.

Note that when keys are released, there will be a packet with zero bytes, which
tell the host that there are no keys being pressed.

Code Table
Byte value      Unshifted       Shifted
--------------------------------------------------------------------------------

KEYBOARD
    00          Reserved (no event indicated)
    01          Keyboard ErrorRollOver
    02          Keyboard POSTFail
    03          Keyboard ErrorUndefined
    04              a              A
    05              b              B
    06              c              C
    07              d              D
    08              e              E
    09              f              F
    0A              g              G
    0B              h              H
    0C              i              I
    0D              j              J
    0E              k              K
    0F              l              L
    10              m              M
    11              n              N
    12              o              O
    13              p              P
    14              q              Q
    15              r              R
    16              s              S
    17              t              T
    18              u              U
    19              v              V
    1A              w              W
    1B              x              X
    1C              y              Y
    1D              z              Z
    1E              1              !
    1F              2              @
    20              3              #
    21              4              $
    22              5              %
    23              6              ^
    24              7              &
    25              8              *
    26              9              (
    27              0              )
    28          Return (Enter)
    29          Escape
    2A          Delete (Backspace)
    2B          Tab
    2C          Spacebar
    2D              -              _
    2E              =              +
    2F              [              {
    30              ]              }
    31              \              |
    32              #              ~                  (non US)
    33              ;              :
    34              '              "
    35              `              ~
    36              ,              <
    37              .              >
    38              /              ?
    39          Caps Lock
    3A              F1
    3B              F2
    3C              F3
    3D              F4
    3E              F5
    3F              F6
    40              F7
    41              F8
    42              F9
    43              F10
    44              F11
    45              F12
    46          Print Screen
    47          Scroll Lock
    48          Pause
    49          Insert
    4A          Home
    4B          Page Up
    4C          Delete Forward
    4D          End
    4E          Page Down
    4F          Right Arrow
    50          Left Arrow
    51          Down Arrow
    52          Up Arrow
    53          Num Lock        Clear

KEYPAD                       (column means Num Lock off)
    54              /
    55              *
    56              -
    57              +
    58          Enter
    59              1           End
    5A              2           Down Arrow
    5B              3           Page Down
    5C              4           Left Arrow
    5D              5
    5E              6           Right Arrow
    5F              7           Home
    60              8           Up Arrow
    61              9           Page Up
    62              0           Insert
    63              .           Delete
    64              \              |                  (non US)
    65          Keyboard Application
    66          Keyboard Power
    67              =


Source: https://www.youtube.com/watch?v=0HXL4RGmExo
cgit-1.2.3-r5 | srcnode v0.4.0