• State Not Answered
  • Replies 1 reply
  • Subscribers 73 subscribers
  • Views 51 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 348069
Options

Decrypting BLE traffic from sniffer with CLI captured data

JonathanCrockett

I'm trying to use 'nrfutil ble-sniffer sniff --follow "${target} public" --port ${device}  --output-pcap-file ${output}  --coded --timeout 5000  --log-level info --log-output stdout --json' in a script to split up automated testing captures, where target is the mac address of my peripheral device. I capture data but cannot decode after the connection becomes encrypted. I've tried to enter the LTK in the GUI with the saved pcap file loaded, but it will not decrypt.

I can get wireshark to decrypt actively received data from their GUI after entering the LTK there. I've found no way to input the LTK after the fact for data captured using the above method.

How can I pass the LTK to the CLI launched sniffer process so I can decrypt these packets? 

Jonathan Crockett

Sleepnumber Labs

Parents
  • 0

    I am not an expert in this but it seems like when you run that command, it just spits raw Link-Layer frames into your PCAP. Once the BLE link goes encrypted, you’re looking at ciphertext—there’s no built-in hook for nrfutil to drop in your Long Term Key (LTK). That’s why nothing you do afterward in Wireshark seems to stick. The people with wireshark expertise are away on summer vacation and unfortunately we need to wait until they come back after two weeks to be able get their insights and see if there is any other way to do this.

Reply
  • 0

    I am not an expert in this but it seems like when you run that command, it just spits raw Link-Layer frames into your PCAP. Once the BLE link goes encrypted, you’re looking at ciphertext—there’s no built-in hook for nrfutil to drop in your Long Term Key (LTK). That’s why nothing you do afterward in Wireshark seems to stick. The people with wireshark expertise are away on summer vacation and unfortunately we need to wait until they come back after two weeks to be able get their insights and see if there is any other way to do this.

Children
No Data
Related
Terms of service