Audio Optimization Resources

macOS – How to: USB Monitoring with WireShark

As developers know, the utility tool to debug and monitor USB Traffic hasn’t been available for quite a while. However, Apple has enabled capturing USB traffic, even for USB-C devices, via Wireshark. I guess you’d classify this as an unofficial release. In order for a capturing protocol to be included in Wireshark, it has to go through quite a rigorous review process. Until there’s official support, you can still get USB capturing going with Wireshark, by downloading the “nightly build” version, which is available here:

Once you’ve downloaded and got Wireshark installed, it’s easy to capture USB traffic. But 1st you’ll need to open Terminal so you can Enable, or “Bring Up” the USB Interface, such that WireShark can see it as a Capture Device. In most cases, this interface is called XHC20.

So at the command prompt you’ll paste in: Sudo ifconfig XHC20 up.

Now, as you can see, Wireshark sees the XHC20 USB Interface, and can now capture its traffic. 

When you are done with your Capture Session, just return to Terminal and paste: Sudo ifconfig XHC20 down. This will bring the USB interface “down.”

Here’s an example of a USB Packet: 

I won’t get into all the usage of WireShark in this post. Chances are you’ve already got ideas!

13 replies »

  1. There is no XHC20 interface shown thru ifconfig on my Mid 2014 15″ MacBook running High Sierra 10.13.4. Even with a USB device attached. Is there some way to get this to show up? Do you have to install the nightly build of Wireshark to get this to show up in Terminal?


    • Having installed the nightly build of Wireshark on the Mac, I can see the XHC20 interface in Wireshark. But there is no such interface available on the Mac, the ifconfig command does not recognize its existence.


  2. I have Hight Sierra installed on my MacBook Pro, but the command Sudo ifconfig XHC20 up just brings up the following error – interface XHC20 does not exist. So i can’t monitor it in Wireshark.


  3. Same problem here. macOS Catalina 10.15.3, Wireshark 3.2.2 and “sudo ifconfig XHC20 up” brings “interface XHC20 does not exist.! 😞
    Any solution to this? Had no luck with googling so far …


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s