[Lazarus] Decoding USB sniff data

waldo kitty wkitty42 at windstream.net
Fri Jun 4 23:27:50 CEST 2010


On 6/4/2010 05:36, Mark Morgan Lloyd wrote:
> That's obviously going to complicate things if you're only sniffing a
> single device (small group of endpoints) or a single class. The sniffing
> software (and any decoders) are not going to be able to say "device x:y
> is now killing itself and will be resurrected as z:t" unless somebody's
> already reverse-engineered the loader- not impossible but not very
> likely either.

right but one should be able to note the vid:pid (did i get that right?) 
attached to a particular USB port and note that it changes within a specific 
time period to a secondary and then within another certain time frame to a 
tertiary vid:pid... as these will occur within a (presumably) very short time 
period (guessing less than 2 or 3 seconds), it would appear to be "not a human 
plugging, unplugging and switching devices" because a human won't be able to do 
that in that short a time frame... plus there that if a human /did/ try to do 
that, it would likely (?) result in the sequence starting all over and running 
thru the three steps...

one might also have a table that notes the vid:pid of each stage... determining 
those is something else, altogether ;)




More information about the Lazarus mailing list