In order to sniff USB traffic on macOS, the XHC20 interface must be "brought up" by executing the following command:
sudo ifconfig XHC20 up
Many online tutorials also suggest to disable the interface after the sniffing is complete. This can be done by executing:
sudo ifconfig XHC20 down
My question is: can I leave the XHC20 interface "up" even when I'm not actively sniffing it?
What are the implications (performance, memory, security, etc.)?
Best Answer
Yes, you can leave the interface "up" when not actively sniffing it.
The interface is actually a sort of pseudo interface based on BPF. Those are generally very performant, and have little to none implication for performance and memory usage.
In terms of security, you could be exposing the your USB traffic to other users on the same Mac that have access to the interface, but not otherwise to your USB traffic. This is not commonly the case on macOS installations in homes / offices.