For anyone else capturing #USB on #macOS on Apple Silicon:It does work, you just have to disable SIP entirely first (individual flags don't work, need csrutil disable)You need to manually set the correct interface up, e.g. sudo ifconfig XHC2 up

I wanted to use this to decrypt connections made using MobileDevice.framework over lockdownd, so I created the following:

Custom #Wireshark dissector for the usbmuxd TCP encapsulation:
https://gist.github.com/JJTech0130/da77af43269076f6ea78f69471d1df6e
SSL keylog for the version of LibreSSL it links (using #Frida)
https://gist.github.com/JJTech0130/e238798e66fe70abc16f1c6dc6c28ab3

Thanks @nicolas17 for the help!

For anyone else capturing #USB on #macOS on Apple Silicon:
It does work, you just have to disable SIP entirely first (individual flags don't work, need csrutil disable)
You need to manually set the correct interface up, e.g. sudo ifconfig XHC2 up

For identifying a specific device, the easiest way is to correlate with IORegistryExplorer.
For example:

iPhone@02100000
        ^
    XHC interface

Once you start the capture in Wireshark, you can filter to just that device using

usb.darwin.location_id == 0x02100000