<![CDATA[For anyone else capturing #USB on #macOS on Apple Silicon:It does work, you just have to disable SIP entirely first (individual flags don't work, need csrutil disable)You need to manually set the correct interface up, e.g. sudo ifconfig XHC2 up]]>For anyone else capturing on on Apple Silicon:
It does work, you just have to disable SIP entirely first (individual flags don't work, need csrutil disable)
You need to manually set the correct interface up, e.g. sudo ifconfig XHC2 up

For identifying a specific device, the easiest way is to correlate with IORegistryExplorer.
For example:

iPhone@02100000
        ^
    XHC interface

Once you start the capture in Wireshark, you can filter to just that device using

usb.darwin.location_id == 0x02100000
]]>https://board.circlewithadot.net/topic/4030c52c-20bd-4acb-a8a6-1f43d609f802/for-anyone-else-capturing-usb-on-macos-on-apple-silicon-it-does-work-you-just-have-to-disable-sip-entirely-first-individual-flags-don-t-work-need-csrutil-disable-you-need-to-manually-set-the-correct-interface-up-e.g.-sudo-ifconfig-xhc2-upRSS for NodeThu, 14 May 2026 20:52:04 GMTThu, 07 May 2026 15:33:07 GMT60<![CDATA[Reply to For anyone else capturing #USB on #macOS on Apple Silicon:It does work, you just have to disable SIP entirely first (individual flags don't work, need csrutil disable)You need to manually set the correct interface up, e.g. sudo ifconfig XHC2 up on Sat, 09 May 2026 06:28:34 GMT]]>I wanted to use this to decrypt connections made using MobileDevice.framework over lockdownd, so I created the following:

Custom dissector for the usbmuxd TCP encapsulation:
https://gist.github.com/JJTech0130/da77af43269076f6ea78f69471d1df6e
SSL keylog for the version of LibreSSL it links (using )
https://gist.github.com/JJTech0130/e238798e66fe70abc16f1c6dc6c28ab3

Thanks @nicolas17 for the help!

Link Preview Image
]]>https://board.circlewithadot.net/post/https://infosec.exchange/users/jjtech/statuses/116543200598036875https://board.circlewithadot.net/post/https://infosec.exchange/users/jjtech/statuses/116543200598036875Sat, 09 May 2026 06:28:34 GMT