Ask Your Question
0

How can I decode BLE L2CAP packets?

asked 2020-07-06 18:52:07 +0000

sandro_ gravatar image

updated 2020-07-07 14:23:14 +0000

Hi,

I'm using the Hollong Bluetooth 4.0/4.1/4.2 BLE Sniffer hardware to capture BLE packets which are then displayed in Wireshark.

I'm capturing packets between my Android device and my E3 Airmon air quality checker device. I start the "measurement" process from the Android device, which then seems to show up as a stream of L2CAP packets in WIreshark (also, when the measurement is complete, no new packets seem to appear in Wireshark).

I'm not sure how to decode these L2CAP packets - there's no "conversation" shown as it would be when following IP packets.

Here is a screenshot of the captured packets summary: https://www.dropbox.com/s/shleomhn6cd...

Here is a link to the packet capture: https://drive.google.com/file/d/1H42b...

How can I actually see what data is being sent over BLE?

I'm using Version 3.2.5 (v3.2.5-0-ged20ddea8138) on a Mac.

Thanks!

[UPDATE] I have been able to get the ATT protocol traffic of the same packet sequence by enabling the Bluetooth HCI log on my Android device and opening up the resulting log file in Wireshark (link). I'm still not sure why this is not showing in Wireshark when capturing over the Hollong packet sniffer device.

[FINAL UPDATE] See comments for the answer - the traffic was encrypted.

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-07-07 14:09:53 +0000

Chuckc gravatar image

The traffic is encrypted. The capture doesn't have headers that Crackle is looking for. I modified the code and was able to decrypt a few of the ATT frames but it didn't decrypt all the fragments.

edit flag offensive delete link more

Comments

Ah, that makes sense. I think I initiated a full "handshake" (I removed the device from my Bluetooth devices list on my Android device and then opened the device's app to initiate a new measurement) but I guess not.

In any case I can see the full unencrypted, ATT protocol traffic simply by capturing the data on the Android device itself.

So in summary, it seems I was wrongly assuming the traffic would "automatically" be decrypted on the fly within Wireshark, if captured by a third party device (if the handshake was captured as well). As part of the initial device setup process, a QR code that is on the bottom of the device needed to be scanned (but only once, it's not needed even after I remove the device from the Bluetooth devices list), maybe that's somehow relevant.

I will then keep using the Android Bluetooth ...(more)

sandro_ gravatar imagesandro_ ( 2020-07-07 14:19:21 +0000 )edit

@sandro_ I've converted the comment by @Chuckc to an answer so you can now accept it as such by clicking the checkmark to the left of the answer. We don't normally close questions off here when answered, so I've reopened it.

grahamb gravatar imagegrahamb ( 2020-07-07 15:01:38 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-07-06 18:52:07 +0000

Seen: 3,644 times

Last updated: Jul 07 '20

Related questions

When I work with BLE sniffer can I use filters by advertising data?

nrf sniffer 3.0 doesn't show in list of external capture modules. Why?

Nordic BLE Sniffer Logs Stuck

Problems decoding BLE capture from another Wireshark program

where do I find a version of Wireshark that works with the Nordic BLE sniffer plugin

Can I use tshark with Nordic BLE Sniffer plugin to capture from command line?

Why won't a dissector work when adding to btatt.handle?

Capture file appears to be damaged or corrupt

Is there a way to differentiate between aptx and aptx hd codec

What is a good solution to capture Bluetooth traffic?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2