Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Shows

Moderators: adafruit_support_bill, adafruit

Please be positive and constructive with your questions and comments.
Post Reply
User avatar
sniffer
 
Posts: 2
Joined: Thu Jun 23, 2022 8:52 pm

Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Shows

Post by sniffer »

Hello,

I purchased the Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 (2269). It is a black "Friend" board.

I have followed the instructions to set it up. I am using Wireshark 3.6.6 on Windows 10, Python 3.10.5 and version NRF 4.1.0 plugin. I also tried the previous version of NRF plugin.

My problem is I only see advertisements / broadcast traffic when I start a capture. It will not follow the connection. There are no connection requests or PDU's shown. I have multiple connections created to the LE devices and I know there is data being transmitted but I cannot see it. I read the item in the FAQ and I have tried multiple times but it does not seem to work.

I'd appreciate any assistance.
Attachments
snip.PNG
snip.PNG (75 KiB) Viewed 123 times

User avatar
markingle
 
Posts: 9
Joined: Sun Jan 14, 2018 9:36 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

Post by markingle »

You have to apply a filter in wireshark to track the packets between devices

User avatar
sniffer
 
Posts: 2
Joined: Thu Jun 23, 2022 8:52 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

Post by sniffer »

Could you explain how to do that please? I don't see any mention of it in the documentation (https://learn.adafruit.com/introducing- ... -wireshark) I tried filtering for the CONNECT_REQ but I don't see any.

User avatar
9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

Post by 9th »

I have the same problem...

Applying a filter such as

Code: Select all

(btle.target_address==d4:36:39:b7:30:f5) || (btle.advertising_address == d4:36:39:b7:30:f5)
doesn't make a difference, I only see advertisements captured.

I've set up the column display so that I can better see what's going on, and it seems that my LE Sniffer is only capturing on channels 37, 38, and 39.

Code: Select all

gui.column.format: 
	"Protocol", "%p",
	"Channel", "%Cus:nordic_ble.channel:0:R",
	"No.", "%m",
	"RSSI", "%Cus:nordic_ble.rssi:0:R",
	"Time", "%Yut",
	"Source", "%s",
	"Destination", "%d",
	"Length", "%L",
	"Info", "%i"
The Wireless > Bluetooth Devices menu shows a summary of BLE devices, but doesn't populate any values.

I notice that in the tutorial images, the addresses are resolved as Master and Slave, which I don't know how to enable: https://learn.adafruit.com/assets/21310
Image

User avatar
9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

Post by 9th »

After poking around in the extcap\nrf_sniffer_ble.py file and browsing the extcap documentation, I've discovered that there is a toolbar
https://www.wireshark.org/docs/wsdg_htm ... r_controls
Image

User avatar
9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

Post by 9th »

A bit more fiddling with Sniffer\Packet.py and the Log, it seems like my BLE Sniffer device is sending out packets that weren't deemed important enough to decipher

Image
Last edited by 9th on Fri Jul 01, 2022 9:17 pm, edited 3 times in total.

User avatar
9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

Post by 9th »

A lot of head scratching later and I might have to just give up.

Setting the Device in the toolbar sends a packet via UART and instructs the sniffer to follow a certain address, and the sniffer sends back PACKET 0x01 EVENT_FOLLOW, which according to sniffer_uart_protocol.txt means "Sniffer tells the Host that it has entered the FOLLOW state."
This also turns off the blue LED on the sniffer, and turns on the red LED instead.

PACKET 0x05 seems to be "Sniffer tells the Host that someone has connected to the unit we are following."

Things work fine on the sniffer until this connect event, and it reads the packet just fine!
However, the sniffer still doesn't hop channels, and just sits idle while the devices communicate.

Follow flags is 0, which means No to all below:

Code: Select all

     Follow Options:
        0000000x = Follow advertisements only.
        000000x0 = Follow legacy advertisements only.
        00000x00 = Follow on LE Coded PHY.
I'm just not sure why the sniffer refuses to follow the BLE communications as shown below to channel 10.
Is it because the devices I'm using have no passkey pairing sequence?

For context, they're a Salter-BKT temperature gauge, which has no standard BLE authentication but disconnects if a keepalive packet isn't sent every 5 seconds, and and Oral-B toothbrush, which has no standard BLE authentication, instead just a magical array of hidden protocols which I'd very much like to figure out

Image

User avatar
9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

Post by 9th »

Somehow it just magically works now after I read the official guide and started using the provided profile:
https://infocenter.nordicsemi.com/pdf/n ... G_v2.2.pdf
https://infocenter.nordicsemi.com/index ... iffer.html

Every time I start Wireshark, I make sure to set the Key in the toolbar to Legacy Passkey, type 000000, press enter, erase it, and press enter again.
I set my display filter to the below, to avoid being overwhelmed by advertisement packets and Empty PDU packets:

Code: Select all

!(btle.advertising_header.pdu_type in {0x0, 0x2, 0x6}) && !(btle.data_header.length == 0)
Then I open the device dropdown, and scroll to the bottom, waiting for new entries.

I activate the Bluetooth of the device, and usually it appears at the bottom.
I confirm whether it's the device by covering it up and watching whether the RSSI goes down consistently.
When I'm sure it's the correct device, I select it and the Bluefruit sniffer's red light activates.
A good way to double check is to activate and deactivate the device's pairing repeatedly and to watch the sniffer red LED switch between on and off, or switch between constant and flickering.

Then I start the pairing or connection process, with the device sitting right under the sniffer.
Immediately, instead of the Source column displaying MAC addresses, it will display Master_0x12345678 and Slave_0x12345678 for each packet.
I don't have any luck sniffing things between my PC and a device, because the checksums come out wrong and cause MIC errors, but sniffing between other devices works fine.
If the device uses a passkey, I wait for the prompt, enter it into the Value, hit enter, and only then I enter it into the connecting device.
The subsequent packets are logged perfectly in Wireshark, and the sniffer lights up blue, red and orange.

I hope anyone reading this finds this information useful.

User avatar
9th
 
Posts: 6
Joined: Fri Jul 01, 2022 4:04 pm

Re: Adafruit Bluefruit LE Sniffer (BLE 4.0) nRF51822 Only Sh

Post by 9th »

Another helpful tip:

Position the sniffer directly between the connecting devices, and repeatedly cancel and retry the pairing procedure on the master device until the Source suddenly changes to Master and Slave - it can take a few tries for the sniffer to pick up the pairing packets, and you only need to enter the Legacy Passkey when you're about to complete the pairing process.

Post Reply
Please be positive and constructive with your questions and comments.

Return to “Wireless: WiFi and Bluetooth”