Ask Your Question

How can I decode BLE L2CAP packets?

asked 2020-07-06 18:52:07 +0000

sandro_ gravatar image

updated 2020-07-07 14:23:14 +0000


I'm using the Hollong Bluetooth 4.0/4.1/4.2 BLE Sniffer hardware to capture BLE packets which are then displayed in Wireshark.

I'm capturing packets between my Android device and my E3 Airmon air quality checker device. I start the "measurement" process from the Android device, which then seems to show up as a stream of L2CAP packets in WIreshark (also, when the measurement is complete, no new packets seem to appear in Wireshark).

I'm not sure how to decode these L2CAP packets - there's no "conversation" shown as it would be when following IP packets.

Here is a screenshot of the captured packets summary:

Here is a link to the packet capture:

How can I actually see what data is being sent over BLE?

I'm using Version 3.2.5 (v3.2.5-0-ged20ddea8138) on a Mac.


[UPDATE] I have been able to get the ATT protocol traffic of the same packet sequence by enabling the Bluetooth HCI log on my Android device and opening up the resulting log file in Wireshark (link). I'm still not sure why this is not showing in Wireshark when capturing over the Hollong packet sniffer device.

[FINAL UPDATE] See comments for the answer - the traffic was encrypted.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-07-07 14:09:53 +0000

Chuckc gravatar image

The traffic is encrypted. The capture doesn't have headers that Crackle is looking for. I modified the code and was able to decrypt a few of the ATT frames but it didn't decrypt all the fragments.

edit flag offensive delete link more


Ah, that makes sense. I think I initiated a full "handshake" (I removed the device from my Bluetooth devices list on my Android device and then opened the device's app to initiate a new measurement) but I guess not.

In any case I can see the full unencrypted, ATT protocol traffic simply by capturing the data on the Android device itself.

So in summary, it seems I was wrongly assuming the traffic would "automatically" be decrypted on the fly within Wireshark, if captured by a third party device (if the handshake was captured as well). As part of the initial device setup process, a QR code that is on the bottom of the device needed to be scanned (but only once, it's not needed even after I remove the device from the Bluetooth devices list), maybe that's somehow relevant.

I will then keep using the Android Bluetooth ...(more)

sandro_ gravatar imagesandro_ ( 2020-07-07 14:19:21 +0000 )edit

@sandro_ I've converted the comment by @Chuckc to an answer so you can now accept it as such by clicking the checkmark to the left of the answer. We don't normally close questions off here when answered, so I've reopened it.

grahamb gravatar imagegrahamb ( 2020-07-07 15:01:38 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-07-06 18:52:07 +0000

Seen: 3,891 times

Last updated: Jul 07 '20