• State Not Answered
  • Replies 19 replies
  • Subscribers 87 subscribers
  • Views 813 views
  • Users 0 members are here
Attachments (5) Download All
Nordic Case Info
  • Case ID: 355850
Options

Wireshark BLE Sniffer missing packet, non-sequential event counter observed

jasperwong

I am using Wireshark with Nordic BLE Sniffer plugin. The sniffer dongle used is nRF52840. I using it to capture a BLE connection from my laptop BLE to a peripheral BLE device. 

I observe that the event counter of my BLE communication captured on Wireshark is not incrementing sequentially. I expect that "Event counter" after CONNECT_IND should be 0->1->2->3->..., but I observe that the "Event counter" after CONNECT_IND is 0->2->4->6->8->10->...

May I know why the "Event counter" is not sequentially incrementing? 

The screenshot below starts from Packet No. 4478.

nRF app success, VDD_BLE=2.6V, 100ohm shunt, peripheral_server_sleep_UART, adv_int=500ms, 20260106.pcapng

Parents
  • 0

    Hello Team,

    I am experiencing the same issue with the nRF BLE Sniffer running on an nRF52840 Dongle.

    A few days ago, I updated the sniffer firmware using nrfutil and updated the Wireshark plugins using the nrfutil ble-sniffer bootstrap command.

    The issue:
    The sniffer misses every other connection event. After a fresh firmware flash (using the .hex file provided in this topic via nRF Connect for Desktop), the first connection sniffing session works perfectly. However, for the second and all subsequent sessions, it starts skipping every other connection event again.

    Steps I’ve taken:

    1. Restarted Wireshark and replugged the dongle — no improvement.

    2. Re-flashed the firmware (.hex) via nRF Connect for Desktop — the first trace is fine, but subsequent ones fail.

    3. Tested the dongle on a MacBook with an older version of Wireshark/plugin — the result is the same (works once after dongle firmware update, then misses events).

    It seems like the sniffer works correctly only once after flashing. After first connection trace something likely changes in the internal flash, causing it to skip events.

    Could you please give previous nrf dongle firmware?

    Best regards,
    Andrei.

Reply
  • 0

    Hello Team,

    I am experiencing the same issue with the nRF BLE Sniffer running on an nRF52840 Dongle.

    A few days ago, I updated the sniffer firmware using nrfutil and updated the Wireshark plugins using the nrfutil ble-sniffer bootstrap command.

    The issue:
    The sniffer misses every other connection event. After a fresh firmware flash (using the .hex file provided in this topic via nRF Connect for Desktop), the first connection sniffing session works perfectly. However, for the second and all subsequent sessions, it starts skipping every other connection event again.

    Steps I’ve taken:

    1. Restarted Wireshark and replugged the dongle — no improvement.

    2. Re-flashed the firmware (.hex) via nRF Connect for Desktop — the first trace is fine, but subsequent ones fail.

    3. Tested the dongle on a MacBook with an older version of Wireshark/plugin — the result is the same (works once after dongle firmware update, then misses events).

    It seems like the sniffer works correctly only once after flashing. After first connection trace something likely changes in the internal flash, causing it to skip events.

    Could you please give previous nrf dongle firmware?

    Best regards,
    Andrei.

Children
  • 0 in reply to Andrey.aley95

    Update:

    1. Reflashing the dongle firmware does not always help.

    2. Sometimes, restarting Wireshark and replugging the dongle helps, but not consistently.

    3. Occasionally, I can complete more than one successful trace before the sniffer enters this "weird state."

    4. Once it starts missing every other connection event, it does not recover on its own. Only steps 1 and 2 (reflashing or replugging) provide a temporary fix.

    Environment details:

    • Host OS: Tested on both Windows and macOS. 
      Windows wireshark versions 4.6.4 and 4.4.14.
      iOS wireshark version 4.4.1
      Windows nrfutil version 8.1.1

    • Central Devices: Using nRF Connect app on iOS (v2.8.1024) and Android (4.29.1).

    • Peripheral Devices: Based on nRF SDK BLE (s113_nrf52_7.2.0_softdevice, sdk v17.1.0) and a custom BLE implementation (on nRF52).

    • Note: These devices have no connection issues with other centrals; the problem appears to be specific to the sniffer's performance.


  • 0 in reply to Andrey.aley95

    Update and solution:

    I downgraded Wireshark to the version 3.6 and now the sniffer works properly every time with the latest firmware and Wireshark plugins (v4.1.1).

    It seems that 4.6.4 and 4.4.14 Wireshark versions have an issue.

  • 0 in reply to Andrey.aley95

    I have Wireshark version 4.0.12, do you recommend downgrading to version 3.6? What is puzzling me is that 4.0.12 was working for over 2 years only recently I started seeing the issue. 

  • 0 in reply to Abdul0

    Downgrading to 3.6 helped me to solve the issue. I didn’t check other wireshark version, maybe 3.8 will also work.

    I also had wireshark 4.4.1 on macOS working fine before, but I not sure maybe one day I accepted automatic wireshark update. Or maybe there was an OS update which conflicts with new wireshark versions. And also interesting that there is the same issue on both Windows and macOS OSs. 

Related
Terms of service