• State Not Answered
  • Replies 7 replies
  • Subscribers 87 subscribers
  • Views 602 views
  • Users 0 members are here
Attachments (1) Download All
Nordic Case Info
  • Case ID: 358659
Options

nRF52840 dongle as a sniffer to capture BLE packets in Wireshark.

Abdul0

I am using an nRF52840 dongle as a sniffer to capture BLE packets in Wireshark. Recently, I’ve noticed that the captured files are approximately half the expected size, and I’m not sure what is causing this issue.

This setup has been very reliable for the past two and a half years, and I haven’t made any significant changes to my configuration.

Has anyone experienced a similar issue or have any suggestions on what might be causing this?

  • 0

    Hi

    Looking at the files, have you noticed anything specific missing from them, or do you have any idea what is missing from the files? I can't say I have heard of something similar before, no.

    Do you have some information on what version of the sniffer firmware and Wireshark you're running on your setup?

    Best regards,

    Simon

  • 0 in reply to Simonr

    From reviewing the capture files, it appears that every other data packet is missing.

    The central and peripheral successfully establish a BLE connection and begin exchanging data.  I would normally expect around 5500 kB of data. However, the captures consistently show about half of that, which suggests that roughly every other packet is not being captured.

    I have tested this across multiple runs:

    • Collected 10 Wireshark capture files
    • About 50% of the expected data is present in each, indicating a consistent pattern of missing packets

    Regarding my setup:

    • nRF Sniffer for Bluetooth LE firmware: Version 4.1
    • Wireshark: 4.0.12 (also tested with the latest version, same behavior observed)

    Please let me know if you need additional details or specific capture samples.

  • 0

    Hmm, this sounds very strange, and I can't say I've seen or heard of something similar in the past. Can you upload a sniffer sample for us to take a look at, then I can also loop in the nRF Sniffer developers to see if they have any ideas to what this odd behavior could be. And just to make sure, this always occurs on your side now, no matter what traffic you are sniffing? Do you have multiple Dongles where you see this, and have you tried erasing and flashing the nRF Sniffer firmware again on a Dongle you're seeing this on to see if it still happens?

    Can you also try with the nRF Sniffer firmware in nrfutil which is the latest version of the nRF firmware to see if it's reproducible there as well?

    Best regards,

    Simon

  • 0 in reply to Simonr

    I have the exported csv version of the Wireshark trace, one example, look between event counter 126 and 128 and NESN and SN this indicates maybe sniffer missing....let me know if I can provide more info test10.csv 

  • 0

    Hi

    This always occurs on your side now, no matter what traffic you are sniffing? Or does it for example only occur on encrypted connections, maybe the missing data is from an encrypted advertisement or similar that you can't see without being in on the encryption. Do you have the .pcapng file of the sniffer trace instead, as that is much easier to review than the .csv file. From the .csv file I don't see anything obvious missing, but then again I don't know what you're expecting between the events here. 

    Best regards,

    Simon

Related
Terms of service