Gallimaufry is a python framework for parsing and working with packet capture files (PCAPs) of USB traffic. It utilizes tshark in the backend to perform the initial translation of the packet capture into python. The goal of this framework is to make it easy to parse out information from USB pcaps as well as easy to extend the framework for more USB traffic types.
For a quick understanding of how it works, check out the examples in the documentation.
http://gallimaufry.readthedocs.io/en/latest/index.html
Once installed, you can load up a pcap and analyze it:
In [1]: from Gallimaufry.USB import USB
In [2]: usb = USB("./task.pcap")
In [3]: usb
Out[3]: <USB packets=835>
In [4]: usb.devices
Out[4]: [<Apple, Inc. Aluminum Keyboard (ISO) v0.6.9 USB2.0.0 bus_id=1 address=3>]- python 3.5+
- tshark
Install using pip:
$ pip install .There is an auto-build Docker container that has everything set up already. Download it with the following:
$ sudo docker pull bannsec/GallimaufryRun it:
$ sudo docker run -it --rm -v $PWD:/my_mount bannsec/Gallimaufry