0

Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Shows
Moderators: adafruit_support_bill, adafruit

Please be positive and constructive with your questions and comments.

Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Shows

by sniffer on Thu Jun 23, 2022 9:12 pm

Hello,

I purchased the Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 (2269). It is a black "Friend" board.

I have followed the instructions to set it up. I am using Wireshark 3.6.6 on Windows 10, Python 3.10.5 and version NRF 4.1.0 plugin. I also tried the previous version of NRF plugin.

My problem is I only see advertisements / broadcast traffic when I start a capture. It will not follow the connection. There are no connection requests or PDU's shown. I have multiple connections created to the LE devices and I know there is data being transmitted but I cannot see it. I read the item in the FAQ and I have tried multiple times but it does not seem to work.

I'd appreciate any assistance.
Attachments
snip.PNG
snip.PNG (75 KiB) Viewed 118 times

sniffer
 
Posts: 2
Joined: Thu Jun 23, 2022 8:52 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

by markingle on Thu Jun 23, 2022 9:42 pm

You have to apply a filter in wireshark to track the packets between devices

markingle
 
Posts: 9
Joined: Sun Jan 14, 2018 9:36 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

by sniffer on Thu Jun 23, 2022 10:00 pm

Could you explain how to do that please? I don't see any mention of it in the documentation (https://learn.adafruit.com/introducing- ... -wireshark) I tried filtering for the CONNECT_REQ but I don't see any.

sniffer
 
Posts: 2
Joined: Thu Jun 23, 2022 8:52 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

by 9th on Fri Jul 01, 2022 4:15 pm

I have the same problem...

Applying a filter such as
Code: Select all | TOGGLE FULL SIZE
(btle.target_address==d4:36:39:b7:30:f5) || (btle.advertising_address == d4:36:39:b7:30:f5)
doesn't make a difference, I only see advertisements captured.

I've set up the column display so that I can better see what's going on, and it seems that my LE Sniffer is only capturing on channels 37, 38, and 39.
Code: Select all | TOGGLE FULL SIZE
gui.column.format:
   "Protocol", "%p",
   "Channel", "%Cus:nordic_ble.channel:0:R",
   "No.", "%m",
   "RSSI", "%Cus:nordic_ble.rssi:0:R",
   "Time", "%Yut",
   "Source", "%s",
   "Destination", "%d",
   "Length", "%L",
   "Info", "%i"


The Wireless > Bluetooth Devices menu shows a summary of BLE devices, but doesn't populate any values.

I notice that in the tutorial images, the addresses are resolved as Master and Slave, which I don't know how to enable: https://learn.adafruit.com/assets/21310
Image

9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

by 9th on Fri Jul 01, 2022 8:21 pm

After poking around in the extcap\nrf_sniffer_ble.py file and browsing the extcap documentation, I've discovered that there is a toolbar
https://www.wireshark.org/docs/wsdg_html_chunked/ChCaptureExtcap.html#_toolbar_controls
Image

9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

by 9th on Fri Jul 01, 2022 8:41 pm

A bit more fiddling with Sniffer\Packet.py and the Log, it seems like my BLE Sniffer device is sending out packets that weren't deemed important enough to decipher

Image
Last edited by 9th on Fri Jul 01, 2022 9:17 pm, edited 3 times in total.

9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

by 9th on Fri Jul 01, 2022 9:15 pm

A lot of head scratching later and I might have to just give up.

Setting the Device in the toolbar sends a packet via UART and instructs the sniffer to follow a certain address, and the sniffer sends back PACKET 0x01 EVENT_FOLLOW, which according to sniffer_uart_protocol.txt means "Sniffer tells the Host that it has entered the FOLLOW state."
This also turns off the blue LED on the sniffer, and turns on the red LED instead.

PACKET 0x05 seems to be "Sniffer tells the Host that someone has connected to the unit we are following."

Things work fine on the sniffer until this connect event, and it reads the packet just fine!
However, the sniffer still doesn't hop channels, and just sits idle while the devices communicate.

Follow flags is 0, which means No to all below:
Code: Select all | TOGGLE FULL SIZE
     Follow Options:
        0000000x = Follow advertisements only.
        000000x0 = Follow legacy advertisements only.
        00000x00 = Follow on LE Coded PHY.


I'm just not sure why the sniffer refuses to follow the BLE communications as shown below to channel 10.
Is it because the devices I'm using have no passkey pairing sequence?

For context, they're a Salter-BKT temperature gauge, which has no standard BLE authentication but disconnects if a keepalive packet isn't sent every 5 seconds, and and Oral-B toothbrush, which has no standard BLE authentication, instead just a magical array of hidden protocols which I'd very much like to figure out

Image

9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

by 9th on Sat Jul 09, 2022 2:53 pm

Somehow it just magically works now after I read the official guide and started using the provided profile:
https://infocenter.nordicsemi.com/pdf/nRF_Sniffer_UG_v2.2.pdf
https://infocenter.nordicsemi.com/index.jsp?topic=%2Fug_sniffer_ble%2FUG%2Fsniffer_ble%2Finstalling_sniffer.html

Every time I start Wireshark, I make sure to set the Key in the toolbar to Legacy Passkey, type 000000, press enter, erase it, and press enter again.
I set my display filter to the below, to avoid being overwhelmed by advertisement packets and Empty PDU packets:
Code: Select all | TOGGLE FULL SIZE
!(btle.advertising_header.pdu_type in {0x0, 0x2, 0x6}) && !(btle.data_header.length == 0)
Then I open the device dropdown, and scroll to the bottom, waiting for new entries.

I activate the Bluetooth of the device, and usually it appears at the bottom.
I confirm whether it's the device by covering it up and watching whether the RSSI goes down consistently.
When I'm sure it's the correct device, I select it and the Bluefruit sniffer's red light activates.
A good way to double check is to activate and deactivate the device's pairing repeatedly and to watch the sniffer red LED switch between on and off, or switch between constant and flickering.

Then I start the pairing or connection process, with the device sitting right under the sniffer.
Immediately, instead of the Source column displaying MAC addresses, it will display Master_0x12345678 and Slave_0x12345678 for each packet.
I don't have any luck sniffing things between my PC and a device, because the checksums come out wrong and cause MIC errors, but sniffing between other devices works fine.
If the device uses a passkey, I wait for the prompt, enter it into the Value, hit enter, and only then I enter it into the connecting device.
The subsequent packets are logged perfectly in Wireshark, and the sniffer lights up blue, red and orange.

I hope anyone reading this finds this information useful.

9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

by 9th on Sun Jul 10, 2022 6:51 am

Another helpful tip:

Position the sniffer directly between the connecting devices, and repeatedly cancel and retry the pairing procedure on the master device until the Source suddenly changes to Master and Slave - it can take a few tries for the sniffer to pick up the pairing packets, and you only need to enter the Legacy Passkey when you're about to complete the pairing process.

9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Please be positive and constructive with your questions and comments.