Wireshark doesn't listen on audio devices though. You have to choose an interface. There is no obvious way to capture what he claims to be seeing, and if he used wireshark or tcpdump, he would have a log. Furthermore, if you had a covert audio channel, you wouldn't encapsulate it in TCP or IP. Under close examination, these claims don't make any sense.
Wireshark can also capture raw Ethernet and raw USB frames, but it still needs an interface from which to capture. Maybe it was the loopback interface?
Software infecting the running system could send packets received via audio to localhost. I'm not saying it's likely, but it's a remotely plausible explanation for the article's description of the attack and investigation.
Software infecting the running system could send packets received via audio to localhost.
Hm. I suppose this is theoretically possible, but I don't see why it would be done in a practical sense. If the malware needs to "phone home", it doesn't need to send packets via localhost; it just sends them out on whatever interface is connected to the Internet. (But how would you distinguish those packets from any others being sent out to the Internet?) If the malware is divided up into multiple processes that need to communicate with each other, why would they betray themselves by connecting via localhost? If they are on OS X or Linux, they can use Unix sockets, which don't need to go through any network interface. If they are on Windows, they can use any of several Windows IPC mechanisms that don't require a network interface.
