I'm new to using Wireshark with Bluetooth so I was hoping to sanity check that I'm doing things right before reporting or trying to fix an issue.
I'm using an Adafruit BlueFruit LE with the nRF Sniffer firmware to capture traffic. Packets look good - mostly no CRC errors and contents look expected on quick inspection.
I'm interested in iBeacon packets. The packets aren't decoded completely, so I see this:
Frame 229: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface /dev/ttyUSB0-3.6, id 0
nRF Sniffer for Bluetooth LE
Bluetooth Low Energy Link Layer
Access Address: 0x8e89bed6
Packet Header: 0x2400 (PDU Type: ADV_IND, ChSel: #1, TxAdd: Public)
Advertising Address: e8:fb:1c:66:b9:40 (e8:fb:1c:66:b9:40)
Advertising Data
Flags
Length: 2
Type: Flags (0x01)
000. .... = Reserved: 0x0
...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x0)
.... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x0)
.... .1.. = BR/EDR Not Supported: true (0x1)
.... ..1. = LE General Discoverable Mode: true (0x1)
.... ...0 = LE Limited Discoverable Mode: false (0x0)
Manufacturer Specific
Length: 26
Type: Manufacturer Specific (0xff)
Company ID: Apple, Inc. (0x004c)
Data: 0215f5068913e783486191a4a3e37d673287fed9360fce
CRC: 0xc332f4
I'd like to see the iBeacon fields, so I click "Decode As...". Field is "BT EIR/AD Manufacturer Company ID". Value is 0x004C. Current is "iBeacon".
I get this:
Frame 229: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface /dev/ttyUSB0-3.6, id 0
nRF Sniffer for Bluetooth LE
Bluetooth Low Energy Link Layer
Access Address: 0x8e89bed6
Packet Header: 0x2400 (PDU Type: ADV_IND, ChSel: #1, TxAdd: Public)
Advertising Address: e8:fb:1c:66:b9:40 (e8:fb:1c:66:b9:40)
Advertising Data
Flags
Length: 2
Type: Flags (0x01)
000. .... = Reserved: 0x0
...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x0)
.... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x0)
.... .1.. = BR/EDR Not Supported: true (0x1)
.... ..1. = LE General Discoverable Mode: true (0x1)
.... ...0 = LE Limited Discoverable Mode: false (0x0)
Manufacturer Specific
Length: 26
Type: Manufacturer Specific (0xff)
Company ID: Apple, Inc. (0x004c)
Apple iBeacon
UUID: 0215f5068913e783486191a4a3e37d67
Major: 12935
Minor: 55806
CRC: 0xc332f4
This is close, but the UUID should start two bytes later. The 0x0215 are type and length fields. Sadly, that makes all of the fields show the wrong values.
This seems like a bug in the dissector, but the "Decode As.." part seemed way more involved my typical Wireshark experience.