Hi,

If your device has no lesc, then you can sniff LTK in pairing process.

Otherwise, you need a LTK to decrypt packet.

LTK will store in flash if you use bonding.

But you need to provide which sdk you use.

thanks for your response. But I am not a professional and the terms you use  , I am not familiar with them.

"if your devişce has no lesc" -> what is lesc , and how do I know if my device has lesc ?

"then you can sniff LTK in pairing process" -> how can I do that ?

"which sdk you use." -> I don't know. I have a laptop with Wireshark installed and 2 years ago I had installed extensions to sniff using nRF52840. I had followed official guides that time. But I'm not sure where the guide is now.

I can't download your file.

You can refer to my sniffer file. My wireshark version is v4.0.6.

In packet 2134, the device responses host that device does not support secure connection. 

In packet 2433, the device sends LTK to host. 

You can use the same method to find more information.

desktop_dfu_sniffer_log.pcapng

mb.pcapng

Can you please check this file ? My sniff session is not like your example.

this traffic is between a BLE device and an app on Android phone.

Probably the app has an hardcoded LTK and without it I won't be able to decrypt the traffic for investigation.

Would it be possible to get the LTK on the Android phone ? Is it possible to sniff on the phone itself and get an unencrypted trace ?

Hi, 

Please check out Exercise 3 Follow and decrypt a paired connection in the Bluetooth Low Energy Fundamentals course (which is highly recommended).

-Amanda H.

I checked it now but it does not match with my scenario.

First of all I am not using that board. I am trying to sniff some 3rd party device. And the communication is different. If you had checked my file mb.pcapng that I had attached in my previous post, you could understand. One side requests LTK but the other side does not send LTK.

In this case how shall I get the LTK or how shall I decrypt without a LTK ?

Please download my file and check. 

Thanks.

I checked it now but it does not match with my scenario.

First of all I am not using that board. I am trying to sniff some 3rd party device. And the communication is different. If you had checked my file mb.pcapng that I had attached in my previous post, you could understand. One side requests LTK but the other side does not send LTK.

In this case how shall I get the LTK or how shall I decrypt without a LTK ?

Please download my file and check. 

Thanks.

Hi,

all I see is "empty PDU" or "Encrypted packet decrypted incorrectly (bad MIC)"

It is most commonly caused by the sniffer not having the private keys for the connection, so it can not decrypt the packages it intercepts.

Please check  Exercise 3 Follow and decrypt a paired connection on how to get the LTK if you are using NCS. It cannot decrypt without a LTK. 

-Amanda H.

I have read through that tutorial/course, but as you can see in my scenario, LTK is not transferred in pairing phase (or am I missing it ?) 

I have already provided you pcap output, so you can see from there.

So what is the point of following that tutorial in my case ?

If the LTK is not provided while pairing , I won't be able to decrypt packets. 

I asked you if it would be possible to get the LTK , or decrypt using hci sniff on the android phone.

I could not get an answer to this.

So what is the purpose of suggesting me to read the tutorial (which I already did) ?

ilker Aktuna said:

if it would be possible to get the LTK , or decrypt using hci sniff on the android phone.

I think it cannot get LTK from your sniffer log, but you can refer to that course to get LTK if you are using NCS. 

I am sorry, I don't understand. What is NCS ? 

NCS is our nRF Connect SDK.