BLE sniffing with nRF52840 Dongle only shows ADV traffic from device

RE: BLE sniffing with nRF52840 Dongle only shows ADV traffic from device

Vidar Berg — Fri, 18 Oct 2024 06:29:40 GMT

Hi,

This does sound like a possible explanation. I don't have experience working with dual-mode chipsets that support both BLE and BR/EDR. The nRF Connect app and the sniffer only work with BLE.

RE: BLE sniffing with nRF52840 Dongle only shows ADV traffic from device

Banderi — Thu, 17 Oct 2024 15:15:22 GMT

Hi,

Thank you for answering! I will test more things and definitely get to the bottom as to why this happens.

Do you reckon it's possible my Bluetooth gadget is sending the advertisements in BLE but establishing a connection entirely in BR/EDR so the sniffer is missing that?

RE: BLE sniffing with nRF52840 Dongle only shows ADV traffic from device

Vidar Berg — Thu, 17 Oct 2024 06:13:37 GMT

The sniffer will lose track of the connection as soon as an encrypted channel map or connection parameter update is exchanged.

RE: BLE sniffing with nRF52840 Dongle only shows ADV traffic from device

ryoma7 — Thu, 17 Oct 2024 03:24:13 GMT

me too,i use the micro:bit chip with btlejack(with nrf52832) to check if my device is "unsniffable",but i find that btlejack tools can normally sniff the following encrypted packets,while my wireshark (with nrf528400 dongle) only have receive several packets ahead and stops.

RE: BLE sniffing with nRF52840 Dongle only shows ADV traffic from device

Vidar Berg — Tue, 15 Oct 2024 11:41:30 GMT

Hi,

Thanks for the update. I'm afraid I don't have an explanation for why you're not seeing the connect request when using the other app. The central must always send a CONNECT_IND PDU to the advertiser to establish the connection. The RPA is typically updated every 15 minutes and is only used in the advertising state. The CONNECT_IND PDU contains the necessary information for the sniffer to follow the connection, regardless of whether an RPA is used.

Best regards,

Vidar

RE: BLE sniffing with nRF52840 Dongle only shows ADV traffic from device

Banderi — Fri, 11 Oct 2024 14:28:22 GMT

Hey there,

Yes, indeed I tried many times over with many combinations and in close proximity (around -30Db RSSI) but the traffic always behaves the same way, stopping abruptly and showing only advertisement / scan request packets. No connection request, no encryption data exchange, no pairing request packets etc. etc., and resuming when it begins advertisement again.

This happens both if I have the device selected, and also if I leave it listening to "all advertising devices" (which makes sense since that captures only the advertisements, from what I read).

On Wireshark, I also tried selecting other options in the interface such as "Find auxiliary pointer data chain" and "Find auxiliary scan response data", but nothing changed. The only thing I noticed is that enabling "Scan and follow devices on LE Coded PHY" seems to freeze Wireshark sometimes.

How could it be possible for it to miss the pairing / connection request packets entirely? Do I have to manually alter anything for the sniffer to be able to follow into it? I left it all at the defaults (e.g. "Adv Hop" was set to 37,38,39; "Legacy Passkey" with an empty value field, etc.) Or perhaps it's a bug in one of the versions of the tools I installed?

---- EDIT: After trying many things, I have noticed a new thing. Using the nRF Connect for Mobile app to attempt a connection with the device, the nRF52840 and Wireshark do, indeed, successfully capture all the pairing and connection data, as well as the (empty) master/slave PDU communications once connected. This means that the sniffer and the basic BLE communications do work as expected.

But using the proprietary app, somehow, all traffic stops after the ADV broadcasts.

How could that be possible? Even if the app was using a different encryption mechanism, wouldn't the sniffer at least be capturing some traffic? After a lot of browsing and searching, I've come across something related to "RPA" and "IRK" which, if I read correctly, somehow change the public address of the device immediately after a connection request which would make it disappear from the captures. However, I do not know how these work so I could be entirely wrong here... Any suggestions?

RE: BLE sniffing with nRF52840 Dongle only shows ADV traffic from device

Vidar Berg — Fri, 11 Oct 2024 13:29:31 GMT

Hello,

Have you attempted this multiple times, and are the phone, peripheral, and sniffer in close range to each other? Based on your description, it sounds like the sniffer is missing the connection request packet, which is needed by the sniffer for it to be able to follow the connection.

[quote user=""] have no idea how to proceed from here. From my understanding, in the bare minimum I should at least be able to capture the start of a pairing process? [/quote]

Yes, you should be able to see the pairing exchange before the link is encrypted. You will also be able to decrypt the packets if the peripheral only supports legacy pairing.

Best regards,

Vidar