First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to dissect BLE in UDP payload?

Dear community,

TLDR: I have raw BLE data as a payload of UDP datagrams and would like Wireshark to dissect them properly, without developing new dissector EDIT: Tried to fix the pictures not showing up.

Theme of my master's project is wireless sniffer for BLE and IEEE 802.15.4. I am basically trying to replicate Texas Instruments' Packet Sniffer 2. Using even the same hardware (CC2652RB). Captured BLE (Bluetooth Low Energy) frames are being sent as a payload of UDP messages to a PC running Wireshark, which should be able to dissect them.

TI Solution behaves like this:

TI Packet Sniffer Wireshark picture

If the picture does not show, hit this link

As you can see, in UDP payload, there are another auxiliary protocol headers (TI Radio Packet Info and TI BLE Packet Info) before the actual BLE Link Layer. Dissectors for these headers were installed during the installation of TI Packet Sniffer itself. However I do believe, that dissector for BLE LL is a part of default Wireshark installation.

My solution looks like this:

My solution where there is only UDP packets dissected

if the picture does not show, hit this link

Now here is my problem: Wireshark seems to "ignore" the BLE LL frames in UDP payload. And I would like to ask how to "make Wireshark" recognize them? Or how can I help Wireshark recognizing them? My advisor says, I should look into Wireshark Remote Capture field, however I am not sure if it is the right way, as I wasn't been able to find anything useful regarding this issue so far.

Thank You for any feedback!

voytex's avatar
1
voytex
asked 2023-02-10 12:59:59 +0000, updated 2023-02-10 16:28:20 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you put the screenshots on a public fileshare (dropbox, onedrive, google) and update the question with links to them.

Chuckc's avatar Chuckc (2023-02-10 14:14:51 +0000) edit
more
  • delete

I tried my normal trick of replacing the image references with <img src="..." /> but for reasons unknown to me that doesn't work with these images even though they show up in a browser

grahamb's avatar grahamb (2023-02-10 15:46:36 +0000) edit
more
  • delete

@grahamb & @Chuckc thanks for Your hints, I tried to edit the original post.

voytex's avatar voytex (2023-02-10 16:29:51 +0000) edit
more
  • delete

without developing new dissector


Are you open to Lua code that would call the existing dissector?
Can you share a capture file?

Chuckc's avatar Chuckc (2023-02-10 20:14:46 +0000) edit
more
  • delete

Yes, I think it might be within the rules of the project. Sample capture file is here (expires on Feb 16)

voytex's avatar voytex (2023-02-14 12:03:42 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Wireshark seems to "ignore" the BLE LL frames in UDP payload

Wireshark has no way of knowing that they're BLE frames. It's not "ignoring" them, it's displaying them as raw data, because it doesn't know that they're BLE frames.

This cannot be changed without either changing the Wireshark source code or writing a Wireshark plugin.

My advisor says, I should look into Wireshark Remote Capture field

There are two ways to do remote capture with Wireshark.

The first is to use a Wireshark with a version of libpcap/WinPcap/Npcap that includes support for the rpcap remote capture protocol, and to write a server for the remote capture protocol that captures on the TI hardware, using that instead of the software that's sending the packets out as UDP. There's no good documentation on how to do this (the protocol was never documented, and I haven't finished my project of documenting it).

The second is to write an "extcap" program and add it to your Wireshark installation, with that program receiving the UDP packets and writing out a pcap or pcapng file with the pcap file header or the pcapng Interface Description Block having a link-layer header type value of 251 (LINKTYPE_BLUETOOTH_LE_LL, as per the link-layer header types list).

The extcap program would probably be the easiest way to do this.

Guy Harris's avatar
19.9k
Guy Harris
answered 2023-02-11 02:56:13 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank You very much, I will surely look into extcap, probably will edit extcap_example.py

voytex's avatar voytex (2023-02-14 12:06:21 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer