Ask Your Question
0

Using BLE nRF Sniffer Plugin in Tshark

asked 2023-11-22 22:20:54 +0000

Anviori gravatar image

Hello,

Is it possible to use the filtering options provided by the nRF52840 BLE sniffing firmware for Wireshark, in Tshark? Specifically, the device address filtering.

Thank you

edit retag flag offensive close merge delete

Comments

Are you asking if you can use the nRF Sniffer for Bluetooth LE fields in a display filter?

The device addresses seem to be part of Bluetooth Low Energy Link Layer.

(Sample capture attached to 12637: Add dissector for Nordic BLE traces)

Chuckc gravatar imageChuckc ( 2023-11-23 03:26:26 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-11-23 13:15:55 +0000

Stig gravatar image

It's not possible to use the nRF BLE Sniffer with tshark, but you can use the command line variant to start the capture with a specific device address. Have a look at the nrfutil ble-sniffer, which is an improved rewrite of the sniffer.

edit flag offensive delete link more

Comments

The BLE sniffer can be used with Tshark. See: https://ibb.co/9VkJS1F. I can capture advertising using the display filters: btle.advertising_address or btcommon.eir_ad.entry.device_name but whatever happens after a connection is established won't get captured even when I specify the "or btle.slave_bd_addr" filter (same as the adv address).

I'm trying to set this all up in an RPi btw. The nrfutil tool doesn't seem to have a version compiled for the aarch64 architecture. I tried using the tool on a Mac as well, but don't see how to use it as a sniffer.

Anviori gravatar imageAnviori ( 2023-11-24 00:50:39 +0000 )edit

Seems like no matter what I do, I can only capture the packets after connection establishment using the nordic ble sniffer plugin in Wireshark. Tshark is able to detect the plugin: https://ibb.co/K9PJpNF, so weird that it can't use it.

Anviori gravatar imageAnviori ( 2023-11-24 00:56:02 +0000 )edit

Actually, figured out how to use the utility on Mac to sniff the desired BLE packets. I also managed to compile an older version of the utility for the RPi, but it doesn't support BLE sniffing. Nordic stopped making the newer version that support it open source :/

Anviori gravatar imageAnviori ( 2023-11-24 05:01:42 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-11-22 22:20:54 +0000

Seen: 422 times

Last updated: Nov 23 '23