Coded PHY on BLE sniffer not working?

I'm trying to use nordic's BLE sniffer on a nRF52833-DK. I have programmed it with the firmware "sniffer_nrf52833dk_nrf52833_4.1.1.hex".

I've then tried both the command "nrfutil ble-sniffer sniff --port /dev/ttyACM4 --coded" as well as "nrfutil ble-sniffer sniff --port /dev/ttyACM4 --coded --scan-follow-aux --scan-follow-aux-chain --scan-follow-aux-rsp" but I cannot see any Coded PHY advertising packets in the resulting Wireshark .pcap file. I only see a bunch of 1M advertisements from the surroundings. I have a few peripherals nearby that are advertising only on the Coded PHY and I can see them in the Android app nRF Connect and it says "LE Coded". Is there a known issue with the sniffer?

I'm using Ubuntu 24.04. FYI I had hoped to be able to use the sniffer plugin in Wireshark but that one doesn't work at all (nrf sniffer device does not show up) even though I've installed the plugin according to the instructions. So for now I'm using the sniffer on the command line.

Parents
  • Hi Emil,

    Could you let me know which nRF Sniffer version you are using ? 
    Also please let me know the wireshark version. 

    I'm not so familiar with the installation on Linux but could you try to do step 3 at section 2.2 in this document ? https://docs.nordicsemi.com/bundle/nrfutil_ble_sniffer_pdf/resource/nRF_Sniffer_BLE_UG_v4.0.0.pdf

    It's the best if you can run in it with Wireshark.  
    I assume you can capture BLE advertising packet at 1Mbps and only having trouble with CODED PHY ? 

  • Sniffer version is 4.1.1. "nrfutil ble-sniffer" version is 0.14.1.

    Python version is 3.12.3.

    Wireshark version is whatever comes with Ubunut 24.04, i.e. 4.2.2.

    I managed to get the Wireshark plugin working by running "/usr/bin/python3 -m pip install -r requirements.txt --break-system-packages" in the extcap folder. I don't know why the "break system packages" was necessary. The system package python3-pyserial does not exist.

    The coded phy options on the command line seem broken but it works with the settings in the Wireshark GUI. However, whenever I press the stop button I get a popup with this error:

    Error from extcap pipe: /home/emil/.local/lib/wireshark/extcap/nrf_sniffer_ble.py:187: SyntaxWarning: invalid escape sequence '\s'
      "{validation=^\s*((37|38|39)\s*,\s*){0,2}(37|38|39){1}\s*$}{required=true}" % CTRL_ARG_ADVHOP)
    /home/emil/.local/lib/wireshark/extcap/nrf_sniffer_ble.py:716: SyntaxWarning: invalid escape sequence '\s'
      m = re.search("^\s*rssi\s*(>=?)\s*(-?[0-9]+)\s*$", capture_filter, re.IGNORECASE)

  • Thanks, prepending each problematic line with "r" fixed that error. Maybe consider release an update which fixes that?

  • Hi Emil, 
    Good to know you find a way to fix it. I think the main problem is the incompatibility with Python v3.12 and later. 


    How did you install nRF Sniffer ? Have you tried to install nrf Sniffer from nrfutil ? 

  • After reading https://www.adam-thomas.co.uk/blog/nrfutil-bluetooth-sniffer-with-tshark/ I now understand that there are two variants of the host part of the nrf ble sniffer, one "old" in Python and one "new" in Rust.

    The Python one works for me with Wireshark:

    $ nrf_sniffer_for_bluetooth_le_4.1.1/extcap/nrf_sniffer_ble.sh --extcap-interfaces --extcap-version=4.2
    extcap {version=4.1.1}{display=nRF Sniffer for Bluetooth LE}{help=https://www.nordicsemi.com/Software-and-Tools/Development-Tools/nRF-Sniffer-for-Bluetooth-LE}
    interface {value=/dev/ttyACM0-4.2}{display=nRF Sniffer for Bluetooth LE}
    control {number=0}{type=selector}{display=Device}{tooltip=Device list}
    control {number=1}{type=selector}{display=Key}{tooltip=}
    control {number=2}{type=string}{display=Value}{tooltip=6 digit passkey or 16 or 32 bytes encryption key in hexadecimal starting with '0x', big endian format.If the entered key is shorter than 16 or 32 bytes, it will be zero-padded in front'}{validation=\b^(([0-9]{6})|(0x[0-9a-fA-F]{1,64})|([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}) (public|random))$\b}
    control {number=3}{type=string}{display=Adv Hop}{default=37,38,39}{tooltip=Advertising channel hop sequence. Change the order in which the sniffer switches advertising channels. Valid channels are 37, 38 and 39 separated by comma.}{validation=^\s*((37|38|39)\s*,\s*){0,2}(37|38|39){1}\s*$}{required=true}
    control {number=7}{type=button}{display=Clear}{tooltop=Clear or remove device from Device list}
    control {number=4}{type=button}{role=help}{display=Help}{tooltip=Access user guide (launches browser)}
    control {number=5}{type=button}{role=restore}{display=Defaults}{tooltip=Resets the user interface and clears the log file}
    control {number=6}{type=button}{role=logger}{display=Log}{tooltip=Log per interface}
    value {control=0}{value= }{display=All advertising devices}{default=true}
    value {control=0}{value=[00,00,00,00,00,00,0]}{display=Follow IRK}
    value {control=1}{value=0}{display=Legacy Passkey}{default=true}
    value {control=1}{value=1}{display=Legacy OOB data}
    value {control=1}{value=2}{display=Legacy LTK}
    value {control=1}{value=3}{display=SC LTK}
    value {control=1}{value=4}{display=SC Private Key}
    value {control=1}{value=5}{display=IRK}
    value {control=1}{value=6}{display=Add LE address}
    value {control=1}{value=7}{display=Follow LE address}

    but the new one in Rust doesn't work with Wireshark:

    $ ~/.local/lib/wireshark/extcap/nrfutil-ble-sniffer-shim --extcap-interfaces --extcap-version=4.2
    extcap {version=0.14.1}{display=nRF Sniffer for Bluetooth LE}{help=https://www.nordicsemi.com/Software-and-Tools/Development-Tools/nRF-Sniffer-for-Bluetooth-LE}
    control {number=0}{type=selector}{display=Device}{tooltip=Device list}
    control {number=1}{type=selector}{display=Key}{tooltip=}
    control {number=2}{type=string}{display=Value}{tooltip=6 digit passkey or 16 or 32 bytes encryption key in hexadecimal starting with '0x', big endian format. If the entered key is shorter than 16 or 32 bytes, it will be zero-padded in front}{validation=\b^(([0-9]{2,6})|(0x[0-9a-fA-F]{1,64})|([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}) (public|random))$\b}
    control {number=3}{type=string}{display=Adv Hop}{default=37,38,39}{tooltip=Advertising channel hop sequence. Change the order in which the sniffer switches advertising channels. Valid channels are 37, 38 and 39 separated by comma.}{validation=^\s*((37|38|39)\s*,\s*){0,2}(37|38|39){1}\s*$}{required=true}
    control {number=7}{type=button}{display=Clear}{tooltip=Clear or remove device from Device list}
    control {number=4}{type=button}{role=help}{display=Help}{tooltip=Access user guide (launches browser)}
    control {number=5}{type=button}{role=restore}{display=Defaults}{tooltip=Resets the user interface and clears the log file}
    control {number=6}{type=button}{role=logger}{display=Log}{tooltip=Log per interface}
    value {control=0}{value= }{display=All advertising devices}{default=true}
    value {control=0}{value=00:00:00:00:00:00 public}{display=Follow IRK}
    value {control=1}{value=0}{display=Legacy Passkey}{default=true}
    value {control=1}{value=1}{display=Legacy OOB data}
    value {control=1}{value=2}{display=Legacy LTK}
    value {control=1}{value=3}{display=SC LTK}
    value {control=1}{value=4}{display=SC Private Key}
    value {control=1}{value=5}{display=IRK}
    value {control=1}{value=6}{display=Add LE address}
    value {control=1}{value=7}{display=Follow LE address}
    value {control=1}{value=8}{display=Sniffer Drift}

    As you can see, no "interface" is listed. Running Ubuntu 24.04. As mentioned earlier, running it from the command line using "nrfutil ble-sniffer sniff" works though.

Reply
  • After reading https://www.adam-thomas.co.uk/blog/nrfutil-bluetooth-sniffer-with-tshark/ I now understand that there are two variants of the host part of the nrf ble sniffer, one "old" in Python and one "new" in Rust.

    The Python one works for me with Wireshark:

    $ nrf_sniffer_for_bluetooth_le_4.1.1/extcap/nrf_sniffer_ble.sh --extcap-interfaces --extcap-version=4.2
    extcap {version=4.1.1}{display=nRF Sniffer for Bluetooth LE}{help=https://www.nordicsemi.com/Software-and-Tools/Development-Tools/nRF-Sniffer-for-Bluetooth-LE}
    interface {value=/dev/ttyACM0-4.2}{display=nRF Sniffer for Bluetooth LE}
    control {number=0}{type=selector}{display=Device}{tooltip=Device list}
    control {number=1}{type=selector}{display=Key}{tooltip=}
    control {number=2}{type=string}{display=Value}{tooltip=6 digit passkey or 16 or 32 bytes encryption key in hexadecimal starting with '0x', big endian format.If the entered key is shorter than 16 or 32 bytes, it will be zero-padded in front'}{validation=\b^(([0-9]{6})|(0x[0-9a-fA-F]{1,64})|([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}) (public|random))$\b}
    control {number=3}{type=string}{display=Adv Hop}{default=37,38,39}{tooltip=Advertising channel hop sequence. Change the order in which the sniffer switches advertising channels. Valid channels are 37, 38 and 39 separated by comma.}{validation=^\s*((37|38|39)\s*,\s*){0,2}(37|38|39){1}\s*$}{required=true}
    control {number=7}{type=button}{display=Clear}{tooltop=Clear or remove device from Device list}
    control {number=4}{type=button}{role=help}{display=Help}{tooltip=Access user guide (launches browser)}
    control {number=5}{type=button}{role=restore}{display=Defaults}{tooltip=Resets the user interface and clears the log file}
    control {number=6}{type=button}{role=logger}{display=Log}{tooltip=Log per interface}
    value {control=0}{value= }{display=All advertising devices}{default=true}
    value {control=0}{value=[00,00,00,00,00,00,0]}{display=Follow IRK}
    value {control=1}{value=0}{display=Legacy Passkey}{default=true}
    value {control=1}{value=1}{display=Legacy OOB data}
    value {control=1}{value=2}{display=Legacy LTK}
    value {control=1}{value=3}{display=SC LTK}
    value {control=1}{value=4}{display=SC Private Key}
    value {control=1}{value=5}{display=IRK}
    value {control=1}{value=6}{display=Add LE address}
    value {control=1}{value=7}{display=Follow LE address}

    but the new one in Rust doesn't work with Wireshark:

    $ ~/.local/lib/wireshark/extcap/nrfutil-ble-sniffer-shim --extcap-interfaces --extcap-version=4.2
    extcap {version=0.14.1}{display=nRF Sniffer for Bluetooth LE}{help=https://www.nordicsemi.com/Software-and-Tools/Development-Tools/nRF-Sniffer-for-Bluetooth-LE}
    control {number=0}{type=selector}{display=Device}{tooltip=Device list}
    control {number=1}{type=selector}{display=Key}{tooltip=}
    control {number=2}{type=string}{display=Value}{tooltip=6 digit passkey or 16 or 32 bytes encryption key in hexadecimal starting with '0x', big endian format. If the entered key is shorter than 16 or 32 bytes, it will be zero-padded in front}{validation=\b^(([0-9]{2,6})|(0x[0-9a-fA-F]{1,64})|([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}) (public|random))$\b}
    control {number=3}{type=string}{display=Adv Hop}{default=37,38,39}{tooltip=Advertising channel hop sequence. Change the order in which the sniffer switches advertising channels. Valid channels are 37, 38 and 39 separated by comma.}{validation=^\s*((37|38|39)\s*,\s*){0,2}(37|38|39){1}\s*$}{required=true}
    control {number=7}{type=button}{display=Clear}{tooltip=Clear or remove device from Device list}
    control {number=4}{type=button}{role=help}{display=Help}{tooltip=Access user guide (launches browser)}
    control {number=5}{type=button}{role=restore}{display=Defaults}{tooltip=Resets the user interface and clears the log file}
    control {number=6}{type=button}{role=logger}{display=Log}{tooltip=Log per interface}
    value {control=0}{value= }{display=All advertising devices}{default=true}
    value {control=0}{value=00:00:00:00:00:00 public}{display=Follow IRK}
    value {control=1}{value=0}{display=Legacy Passkey}{default=true}
    value {control=1}{value=1}{display=Legacy OOB data}
    value {control=1}{value=2}{display=Legacy LTK}
    value {control=1}{value=3}{display=SC LTK}
    value {control=1}{value=4}{display=SC Private Key}
    value {control=1}{value=5}{display=IRK}
    value {control=1}{value=6}{display=Add LE address}
    value {control=1}{value=7}{display=Follow LE address}
    value {control=1}{value=8}{display=Sniffer Drift}

    As you can see, no "interface" is listed. Running Ubuntu 24.04. As mentioned earlier, running it from the command line using "nrfutil ble-sniffer sniff" works though.

Children
No Data
Related