Possible BLE Apple iBeacon dissector issue

asked 2024-12-18 17:04:20 +0000

I'm new to using Wireshark with Bluetooth so I was hoping to sanity check that I'm doing things right before reporting or trying to fix an issue.

I'm using an Adafruit BlueFruit LE with the nRF Sniffer firmware to capture traffic. Packets look good - mostly no CRC errors and contents look expected on quick inspection.

I'm interested in iBeacon packets. The packets aren't decoded completely, so I see this:

Frame 229: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface /dev/ttyUSB0-3.6, id 0
nRF Sniffer for Bluetooth LE
Bluetooth Low Energy Link Layer
    Access Address: 0x8e89bed6
    Packet Header: 0x2400 (PDU Type: ADV_IND, ChSel: #1, TxAdd: Public)
    Advertising Address: e8:fb:1c:66:b9:40 (e8:fb:1c:66:b9:40)
    Advertising Data
        Flags
            Length: 2
            Type: Flags (0x01)
            000. .... = Reserved: 0x0
            ...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x0)
            .... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x0)
            .... .1.. = BR/EDR Not Supported: true (0x1)
            .... ..1. = LE General Discoverable Mode: true (0x1)
            .... ...0 = LE Limited Discoverable Mode: false (0x0)
        Manufacturer Specific
            Length: 26
            Type: Manufacturer Specific (0xff)
            Company ID: Apple, Inc. (0x004c)
            Data: 0215f5068913e783486191a4a3e37d673287fed9360fce
    CRC: 0xc332f4

I'd like to see the iBeacon fields, so I click "Decode As...". Field is "BT EIR/AD Manufacturer Company ID". Value is 0x004C. Current is "iBeacon".

I get this:

Frame 229: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface /dev/ttyUSB0-3.6, id 0
nRF Sniffer for Bluetooth LE
Bluetooth Low Energy Link Layer
    Access Address: 0x8e89bed6
    Packet Header: 0x2400 (PDU Type: ADV_IND, ChSel: #1, TxAdd: Public)
    Advertising Address: e8:fb:1c:66:b9:40 (e8:fb:1c:66:b9:40)
    Advertising Data
        Flags
            Length: 2
            Type: Flags (0x01)
            000. .... = Reserved: 0x0
            ...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x0)
            .... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x0)
            .... .1.. = BR/EDR Not Supported: true (0x1)
            .... ..1. = LE General Discoverable Mode: true (0x1)
            .... ...0 = LE Limited Discoverable Mode: false (0x0)
        Manufacturer Specific
            Length: 26
            Type: Manufacturer Specific (0xff)
            Company ID: Apple, Inc. (0x004c)
            Apple iBeacon
                UUID: 0215f5068913e783486191a4a3e37d67
                Major: 12935
                Minor: 55806
    CRC: 0xc332f4

This is close, but the UUID should start two bytes later. The 0x0215 are type and length fields. Sadly, that makes all of the fields show the wrong values.

This seems like a bug in the dissector, but the "Decode As.." part seemed way more involved my typical Wireshark experience.

edit retag flag offensive close merge delete

Comments

Can you provide a sample packet capture?

Chuckc ( 2024-12-18 17:13:12 +0000 )edit

I don't have enough points to upload here, but you can see a few packets at https://github.com/fhunleth/beacon-tr....

fhunleth ( 2024-12-18 18:00:08 +0000 )edit

add a comment

answered 2024-12-18 20:03:46 +0000

Chuckc
3023 ●6 ●611 ●20

Please open a Wireshark Gitlab Issue for this. (Wiki: ReportingBugs)

Bluetooth: AD: Add dissector for Apple iBeacon - support was added based on Getting Started with iBeacon - Version 1.0.

The full spec (Proximity Beacon Specification - Release R1) is available from Apple here
Download artwork and specifications:

Table 2-1 Proximity Beacon Advertising Packet
Byte(s) Name Value Notes
 0 Flags[0] 0x02 See Bluetooth 4.0 Core Specification , Volume 3, Appendix C, 18.1.
1 Flags[1] 0x01 See Bluetooth 4.0 Core Specification , Volume 3, Appendix C, 18.1.
2 Flags[2] 0x06 See Bluetooth 4.0 Core Specification , Volume 3, Appendix C, 18.1.
 3 Length 0x1A See Bluetooth 4.0 Core Specification
4 Type 0xFF See Bluetooth 4.0 Core Specification
 5 Company ID[0] 0x4C Must not be used for any purposes not specified by Apple.
6 Company ID[1] 0x00 Must not be used for any purposes not specified by Apple.
 7 Beacon Type[0] 0x02 Must be set to 0x02 for all Proximity Beacons
8 Beacon Type[1] 0x15 Must be set to 0x15 for all Proximity Beacons
 9-24 Proximity UUID 0xnn..nn See CLBeaconRegion class in iOS Developer Library. Must not be set to all 0s.
25-26 Major 0xnnnn See CLBeaconRegion class in iOS Developer Library. 0x0000 = unset. 
27-28 Minor 0xnnnn See CLBeaconRegion class in iOS Developer Library. 0x0000 = unset.
 29 Measured Power 0xnn See Measured Power (page 7)

- which matches packet structure here: BLE advertisement packet structure byte map

edit flag offensive delete link

Comments

Thanks! Issue at https://gitlab.com/wireshark/wireshar....

fhunleth ( 2024-12-19 14:48:31 +0000 )edit

add a comment

Possible BLE Apple iBeacon dissector issue

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Possible BLE Apple iBeacon dissector issue edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Possible BLE Apple iBeacon dissector issue