nrfSniffer only works one time at Wireshark startup

Hi,

Can you share what Wireshark version you have?

And also have you asked Wireshark support? 

Regards,
Jonathan

I haven't tried Wireshark support because Wireshark appears to be working properly except when trying to communicate to nRF52804DK through /dev/ttyACM0 the second time which seems to be more of a Nordic sniffer issue, and my current guess I am working on opening /dev/ttyACM0 the second time is not working. In particular, I am suspect of devices = UART.find_sniffer() around line 160 in nrf_sniffer_ble.py; I haven't figured out how to set a breakpoint when running from wireshark. import pdb; pdb.set_trace() doesn't work, so I think I have to add a loop and attach with gdb or something like that?

wireshark version:

3.6.2 (Git v3.6.2 packaged as 3.6.2-2)

Compiled (64-bit) using GCC 11.2.0, with Qt 5.15.2, with libpcap, with POSIX
capabilities (Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua
5.2.4, with GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.12, with libsmi 0.4.8, with
QtMultimedia, without automatic updates, with SpeexDSP (using system library),
with Minizip.

Running on Linux 6.5.0-28-generic, with 12th Gen Intel(R) Core(TM) i9-12900K
(with SSE4.2), with 64016 MB of physical memory, with GLib 2.72.4, with zlib
1.2.11, with Qt 5.15.3, with libpcap 1.10.1 (with TPACKET_V3), with c-ares
1.18.1, with GnuTLS 3.7.3, with Gcrypt 1.9.4, with nghttp2 1.43.0, with brotli
1.0.9, with LZ4 1.9.3, with Zstandard 1.4.8, with libsmi 0.4.8, with light
display mode, without HiDPI, with LC_TYPE=en_US.UTF-8, binary plugins supported
(19 loaded).

From the documentation, I have no idea how to "use the nRF_USB connector, talking directly to the nRF and not though the interface controller on the DK". In general, the documentation is very convoluted, and requires many steps that are either not well explained or just hard-to-understand one-liners.

I do have more info that is pointing to a Nordic bug.

After running the first capture that works, doing a >lsof /dev/ttyACM0 returns nothing, however the next time a capture is attempted, it fails because a lock file is left behind

> ls /var/lock
. .. asound.state.lock LCK..ttyACM0 subsys whoopsie

/var/lock is a symbolic link to /run/lock

doing a >c /var/lock/ LCK..ttyACM0 gives the pid of the "locked"? process

> c /run/lock/LCK..ttyACM0
656275>

doing a

>pg='ps aux | g -v grep | g 656275

gives:

<xxx redacted user name xxx>    656275  0.5  0.0      0     0 pts/0    Z    11:46   0:05 [python3] <defunct>

Now this is interesting, normally to get rid of a defunct process, one uses something like:

ps -ef | grep defunct | grep -v grep | awk '\''{ print $3 }'\'' | xargs kill -9

but this kills wireshark?

If one simply deletes the lock file, then it is now possible to run a new capture.

Summary: I'm guessing FileLock.py is buggy and needs to be fixed? I don't know the cleanest way to do this and irrespective, any changes I make will be over-written at the next update.

I'm kind of surprised this hasn't affected others? Could there be unique reason my set up is different as I've just been following guidelines without any customization trying to capture all devices advertising. Still, there are so many poorly documented steps involved, the chances of errors are high, and the debug is difficult as I still can't get breakpoints working when running through wireshark, and I also haven't been successful using logging again when running through wireshark.

Any suggestions to an alternative for ble sniffing that is simpler and less fragile I could try while waiting for Nordic to fix?

Are you using the latest version of the nRF sniffer for Bluetooth?  can be found here: https://www.nordicsemi.com/Products/Development-tools/nRF-Sniffer-for-Bluetooth-LE/Download?lang=en#infotabs 

Could it be that the version you have Which extcap version are you using? Does the nrf_sniffer_ble.sh contain exec before $py3 $script_path/nrf_sniffer_ble.py "$@" (this is one of the differences between nRF Sniffer for Bluetooth LE 4.1.0 and 4.1.1).

Regards,
Jonathan

VERSION_STRING = "4.1.1"

and copied from nrf_sniffer_ble.sh (last line of bash script):

exec $py3 $script_path/nrf_sniffer_ble.py "$@"

All software was downloaded in the last 4 weeks from scratch.

On a related note: copying example_linux.py from doc to .config/wireshark/extcap and running the first time gives:

```> python example_linux.py
Just ran usercustomize, path: ['/home/Dropbox/programming/Python/lib/', '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/python3.10/lib-dynload', '/home/martin/.local/lib/python3.10/site-packages', '/usr/local/lib/python3.10/dist-packages', '/usr/lib/python3/dist-packages']

***** open_ports:
[<serial.tools.list_ports_linux.SysFS object at 0x7bdb055f48b0>]
Opening serial port /dev/ttyACM0
closing UART
Opening serial port /dev/ttyACM0
args: ()
kwargs: {'callbacks': [('*', <bound method Notifier.passOnNotification of <Sniffer(Thread-3, initial)>>)]}
board ID: 0
starting scan```

This leaves behind the lock file, but the process of the pid of the lock file doesn't exist. Running a second time gives:

```

> python example_linux.py
Just ran usercustomize, path: ['/home/Dropbox/programming/Python/lib/', '/usr/lib/python310.zip', '/usr/lib/python3.10', '/usr/lib/python3.10/lib-dynload', '/home/martin/.local/lib/python3.10/site-packages', '/usr/local/lib/python3.10/dist-packages', '/usr/lib/python3/dist-packages']

***** open_ports:
[<serial.tools.list_ports_linux.SysFS object at 0x7749c5a7c8b0>]
Opening serial port /dev/ttyACM0
Lockfile is stale. Overriding it..
closing UART
Opening serial port /dev/ttyACM0
args: ()
kwargs: {'callbacks': [('*', <bound method Notifier.passOnNotification of <Sniffer(Thread-3, initial)>>)]}
board ID: 0
starting scan```

Note the "Lockfile is stale" which is from lines 48-49 of FileLock.py

``` logging.info("Lockfile is stale. Overriding it..")
os.remove(lockfile)```

Finally, line 96 of Devices.py ```if dev.name in [id, '"'+id+'"']:``` doesn't work if device.name has trailing  nulls which is the case for some commercial peripherals. Better would be ```if id in dev.name:```

Summary: the most recent version of the SnifferAPI is not handling the lock files properly and has some edge cases where it doesn't work.

Thanks for all the details, forwarding this to our developer so that we can try to have this fixed

There is something else you could try in the mean time, the nRFUtil tool does use a has a ble-sniffer bootstrap and uses a different extcap. Might be worth a try. 

https://github.com/NordicSemiconductor/nrfutil-package-index/tree/master/nr/fu 

There is something else you could try in the mean time, the nRFUtil tool does use a has a ble-sniffer bootstrap and uses a different extcap. Might be worth a try. 

https://github.com/NordicSemiconductor/nrfutil-package-index/tree/master/nr/fu