Ask Your Question

How to dissect BLE in UDP payload?

asked 2023-02-10 12:59:59 +0000

voytex gravatar image

updated 2023-02-10 16:28:20 +0000

Dear community,

TLDR: I have raw BLE data as a payload of UDP datagrams and would like Wireshark to dissect them properly, without developing new dissector EDIT: Tried to fix the pictures not showing up.

Theme of my master's project is wireless sniffer for BLE and IEEE 802.15.4. I am basically trying to replicate Texas Instruments' Packet Sniffer 2. Using even the same hardware (CC2652RB). Captured BLE (Bluetooth Low Energy) frames are being sent as a payload of UDP messages to a PC running Wireshark, which should be able to dissect them.

TI Solution behaves like this:

TI Packet Sniffer Wireshark picture

If the picture does not show, hit this link

As you can see, in UDP payload, there are another auxiliary protocol headers (TI Radio Packet Info and TI BLE Packet Info) before the actual BLE Link Layer. Dissectors for these headers were installed during the installation of TI Packet Sniffer itself. However I do believe, that dissector for BLE LL is a part of default Wireshark installation.

My solution looks like this:

My solution where there is only UDP packets dissected

if the picture does not show, hit this link

Now here is my problem: Wireshark seems to "ignore" the BLE LL frames in UDP payload. And I would like to ask how to "make Wireshark" recognize them? Or how can I help Wireshark recognizing them? My advisor says, I should look into Wireshark Remote Capture field, however I am not sure if it is the right way, as I wasn't been able to find anything useful regarding this issue so far.

Thank You for any feedback!

edit retag flag offensive close merge delete


Can you put the screenshots on a public fileshare (dropbox, onedrive, google) and update the question with links to them.

Chuckc gravatar imageChuckc ( 2023-02-10 14:14:51 +0000 )edit

I tried my normal trick of replacing the image references with <img src="..." /> but for reasons unknown to me that doesn't work with these images even though they show up in a browser

grahamb gravatar imagegrahamb ( 2023-02-10 15:46:36 +0000 )edit

@grahamb & @Chuckc thanks for Your hints, I tried to edit the original post.

voytex gravatar imagevoytex ( 2023-02-10 16:29:51 +0000 )edit

without developing new dissector

Are you open to Lua code that would call the existing dissector?
Can you share a capture file?

Chuckc gravatar imageChuckc ( 2023-02-10 20:14:46 +0000 )edit

Yes, I think it might be within the rules of the project. Sample capture file is here (expires on Feb 16)

voytex gravatar imagevoytex ( 2023-02-14 12:03:42 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2023-02-11 02:56:13 +0000

Guy Harris gravatar image

Wireshark seems to "ignore" the BLE LL frames in UDP payload

Wireshark has no way of knowing that they're BLE frames. It's not "ignoring" them, it's displaying them as raw data, because it doesn't know that they're BLE frames.

This cannot be changed without either changing the Wireshark source code or writing a Wireshark plugin.

My advisor says, I should look into Wireshark Remote Capture field

There are two ways to do remote capture with Wireshark.

The first is to use a Wireshark with a version of libpcap/WinPcap/Npcap that includes support for the rpcap remote capture protocol, and to write a server for the remote capture protocol that captures on the TI hardware, using that instead of the software that's sending the packets out as UDP. There's no good documentation on how to do this (the protocol was never documented, and I haven't finished my project of documenting it).

The second is to write an "extcap" program and add it to your Wireshark installation, with that program receiving the UDP packets and writing out a pcap or pcapng file with the pcap file header or the pcapng Interface Description Block having a link-layer header type value of 251 (LINKTYPE_BLUETOOTH_LE_LL, as per the link-layer header types list).

The extcap program would probably be the easiest way to do this.

edit flag offensive delete link more


Thank You very much, I will surely look into extcap, probably will edit

voytex gravatar imagevoytex ( 2023-02-14 12:06:21 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-02-10 12:59:59 +0000

Seen: 266 times

Last updated: Feb 11 '23