Btsnoop as pipe input?

asked 2022-04-05 18:57:36 +0000

slawekj gravatar image

Hi! I am trying to inspect a live btsnoop log (incrementing file), but it appears there is no such option.

I first tried 

wireshark -k -i <input_pipe>

but I got error:

Data written to the pipe is neither in a supported pcap format nor in pcapng format. Please report this to the developers of the program writing to the pipe.

As far as I understand Wireshark does not support btsnoop file format as input pipe, only pcap.

I was hoping editcap could help - as it is able to convert btsnoop to pcap format. However I was not able to pipe the live feed through it - no such option? It worked for me only for static files (e.g. editcap in.log out.pcap).

Am I missing something obvious, or is it impossible to have live feed of btsnoop in Wireshark (except for android hci tcp/8878 via adb, but it is supported only on a small number of devices). Any python sample code that I could use for such conversion myself? (my original script live-feeding btsnoop is in python).

edit retag flag offensive close merge delete

Comments

Have you looked into using androiddump (if that's even applicable) or the extcap interface in general?

Jaap gravatar imageJaap ( 2022-04-07 09:43:01 +0000 )edit

Yes, I have looked into androiddump. It works just like the built-in extcap via adb - tries to connect to the live Bluetooth snoop TCP/8872 socket on the phone - which is now only available on a very few legacy Android models. I have written a script to incrementally grab btsnoop file from the phone instead (available on all models), and I would like to feed the packets to Wireshark as simply as possible - pipe seemed the most elegant solution. I know I can turn my script into extcap, just wanted to ask for maybe simpler options. I may end up doing this, despite being more complex. I guess for the extcap I will need to convert the btsnoop into pcap anyway (haven't looked into details yet)? Do you know any sample python code for this?

slawekj gravatar imageslawekj ( 2022-04-07 09:59:29 +0000 )edit

Anything going to be piped has to be pcap/pcapng, otherwise use extcap. This can report the DLT for the interface it provides, so you may not even need to convert to pcap if an appropriate DLT exists. There's an extcap example this doc folder

Jaap gravatar imageJaap ( 2022-04-07 11:28:04 +0000 )edit

Thanks! I will have a look at this extcap + DLT approach, hope it works for me. I assume this will require manual adding of encapsulation (from whatever DLT my extcap reports to btsnoop) in User DLT table.

slawekj gravatar imageslawekj ( 2022-04-07 13:08:59 +0000 )edit

Maybe, maybe not. Have a look here what options there are.

Jaap gravatar imageJaap ( 2022-04-07 18:35:28 +0000 )edit
add a comment