Ask Your Question

BTmesh dissector not decrypting

asked 2019-05-23 13:54:44 +0000

jdfire gravatar image


What follows concerns the latest (at the moment of writing) committed dev version of Wireshark (May 23rd 2019 - wireshark-3.1.0rc0-856-gd36b72e6b881).

I downloaded the source code and compiled it under Ubuntu 18.04 LTS.

I have some captures of Bluetooth Mesh packets as pcap files. The protocol is recognized by Wireshark. I've added the relevant NetKey, AppKey and IVindex to the keys table under btmesh protocol preferences. I'm confident that those entries are the right ones, since I can decrypt the packets with a Python script. But when it comes to Wireshark, nothing changes after entering the keys. The mesh data remains obfuscated and encrypted, and therefore cannot be dissected.

Has anyone already been able to use this generic dissector? Decryption and dissection? I know it is still under development but I just want to know if there are any results so far.

Thanks a lot.

What I get:

Bluetooth Low Energy Link Layer
Bluetooth Mesh
Network PDU
    0... .... = IVI: 0
    .001 1011 = NID: 27
    Obfuscated: 777a1cd0111f
    Encrypted data and NetMIC: 5dbe26a7fca2f630704c1e4f3b08a99d3bc22c93f29f
edit retag flag offensive close merge delete


Have you ensured support for Gcrypt is compiled in? What does the Help -> About Wireshark > Wireshark dialog show (tshark -v shows the same info)?

grahamb gravatar imagegrahamb ( 2019-05-23 14:11:58 +0000 )edit

Thanks for your fast reply. As requested:

Compiled (64-bit) with Qt 5.9.5, with libpcap, without POSIX capabilities, without libnl, with GLib 2.56.4, with zlib 1.2.11, without SMI, without c-ares, without Lua, without GnuTLS, with Gcrypt 1.8.1, without Kerberos, without MaxMind DB resolver, without nghttp2, without brotli, without LZ4, without Snappy, without libxml2, with QtMultimedia, with SpeexDSP (using bundled resampler), without SBC, without SpanDSP, without bcg729. 

Running on Linux 4.18.0-20-generic, with Intel(R) Core(TM) i7-4610M CPU @ 3.00GHz (with SSE4.2), with 3944 MB of physical memory, with locale LC_CTYPE=en_US.UTF-8, LC_NUMERIC=fr_FR.UTF-8, LC_TIME=fr_FR.UTF-8, LC_COLLATE=en_US.UTF-8, LC_MONETARY=fr_FR.UTF-8, LC_MESSAGES=en_US.UTF-8, LC_PAPER=fr_FR.UTF-8, LC_NAME=fr_FR.UTF-8, LC_ADDRESS=fr_FR.UTF-8, LC_TELEPHONE=fr_FR.UTF-8, LC_MEASUREMENT=fr_FR.UTF-8, LC_IDENTIFICATION=fr_FR.UTF-8, with light display mode, without HiDPI, with libpcap version 1.8.1, with Gcrypt 1 ...
jdfire gravatar imagejdfire ( 2019-05-23 15:05:28 +0000 )edit

As the "running" output shows it managed to load Gcrypt, I suspect you're OK from that issue. You are missing GnuTLS, but I don't think that's involved for BT Mesh.

There are some sample captures for BT Mesh at, you could try those and see if they decrypt.

grahamb gravatar imagegrahamb ( 2019-05-23 15:22:10 +0000 )edit

Tested with all the sample captures with the relevant keys, I get the same behaviour. The data remains encrypted.

jdfire gravatar imagejdfire ( 2019-05-23 15:45:50 +0000 )edit

I can't make them work either. I think you'll have to raise a bug at the Wireshark Bugzilla.

grahamb gravatar imagegrahamb ( 2019-05-23 16:22:45 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2019-06-04 08:13:16 +0000

jdfire gravatar image

For anyone who might get the same issue in the future, make sure that all the keys and the IVindex (4 Bytes) are entered as hex streams (0x...). Thanks to Jonas Jonsson for the hint.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-05-23 13:54:44 +0000

Seen: 42 times

Last updated: Jun 04