First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Can I use tshark with Nordic BLE Sniffer plugin to capture from command line?

I have a functional Wireshark 2.4.4 windows 10 installation that can capture BLE communications of a selected device.

Is it possible to use the same plugin (with some command line arguments to select the BLE device) and capture from the command line (tshark)?

A basic command would look like this, 

tshark -i <interface> -f "(not btle.length == 0)"

Now, I expected that to work for advertisement packets -- but it returns soon with zero packets captured.

If that can be made to work I am trying to figure out how I can specify a BLE device to capture its communications once paired.

nik's avatar
1
nik
asked 2018-02-27 07:59:29 +0000, updated 2018-02-27 08:04:54 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0
tshark -i <interface> -f "(not btle.length == 0)"

Now, I expected that to work for advertisement packets -- but it returns soon with zero packets captured.

not btle.length == 0 is not a valid capture filter, and the -f argument to TShark specifies a capture filter, not a Wireshark filter (display/color/etc. filter). Try doing

 tshark -i <interface> -R "(not btle.length == 0)"

instead.

By the way, you do not need a plugin to dissect the packets and, in fact, at least on Windows, Wireshark explicitly ignores the Nordic BTLE plugin, to avoid collisions with the built-in dissection code.

Guy Harris's avatar
19.9k
Guy Harris
answered 2018-02-27 18:21:18 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Good point on -f I was distracted there. The dissect-without-plugin part was not known to me. I'll recheck and get back. Thanks. (Can't even upvote yet on Wireshark stack -- just out of the egg here).

nik's avatar nik (2018-02-28 05:23:31 +0000) edit
more
  • delete

You can "accept" the answer though, by clicking on the checkmark icon next to it.

grahamb's avatar grahamb (2018-02-28 10:25:44 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer