Sniffing BLE LESC traffic in tshark.

Hi there,

1. I want to sniff BLE LESC bonding session in tshark/CLI not in Wireshark/GUI. And decrypt it in the same session using LTK. The idea is to increase the time interval between LTK generation and encryption start packet, then extract the LTK from nRF logs and load it in tshark. So, it can decrypt the bonding session.

The question is would tshark accept the LTK mid scan? If i load the LTK as soon as it is generated and before the encryption packets are exchange would it decrypt the packet?

2. I have found in some old NRF cases that It is only to possible sniff with Wireshark and not tshark.

I read that I can use nrfutil or NRF CLI to scan in CLI using sniffer API. I tried doing it with sniffer API the sniffer was able to follow the device address but 0 packets were captured.

Now, tshark is also recording the scan in background because I wanted the sniffer API to follow the hop and tshark to record it so i can decrypt it afterwards. but I think since both sniffer API and tshark have to listen on the same port, tshark is missing the scan. (I am not sure if this is really the reason)


My objective is to capture the bonding traffic in CLI and decrypt it with LTK. Any suggestions or other approach will be appreciated.

Thanks,

Umer Qureshi  

Parents
  • Hi Umer, 

    1. The way I understood about how the sniffer works with the keys is that they LTK has to be provided to the sniffer firmware running on the nRF5x chip. The chip decript the packets on the fly and send it to PC/wireshark. So it's not wireshark or Tshark that decrypt the encrypted messages. 

    I'm not so sure if you can feed the LTK right before the encryption start to enable the sniffer to start decrypting the message. But you can try. 

    An easier way in my opinion is to do bonding, then disconnect, provide the LTK to the sniffer and then connect again. This way the sniffer will be able to use the LTK to decrypt the connection. 

    2. I don't have much experience with tshark. But as I mentioned the decrypting should be on the nRF52 not on the PC. So if you can capture unencrypted packet with tshark + nRF52 you should be able to do so with encrypted packets. 

  • Hi Hung,

    Can you provide link to any document where I can find how exactly nRF use the LTK and if it can be used in middle of a session?

    Decrypting a bonded session is easier, but I want to decrypt a bonding session for a specific purpose.

    The problem with tshark is, it is not even filtering the traffic with device MAC address. I have read in some old Nordic cases that tshark is not supported with nRF sniffer. It seems like this still is the case here. can you confirm from any documentation? Also, I would like to know if I go with another appraoch like to use snifferAPI or nrfutil for automation purpose what would be the best appraoch? 

  • Hi Umer, 
    I'm afraid that it's not very well documented. The sniffer created as a tool to assist debugging not a development tool. 

    We haven't got much development to the sniffer firmware in the last few years. So the situation remains the same. 

    I noticed another customer has managed to use tshark with the nrfsniffer. I haven't looked deep into this but maybe you can check ? https://www.adam-thomas.co.uk/blog/nrfutil-bluetooth-sniffer-with-tshark/

    Umer said:
    Also, I would like to know if I go with another appraoch like to use snifferAPI or nrfutil for automation purpose what would be the best appraoch? 

    The functionality exposed to nrfutil is quite limited. It's made to be used with wireshark so I don't think you will be able to get much out of it. You will need to use the snifferAPI. But please check with the article above. 

Reply
  • Hi Umer, 
    I'm afraid that it's not very well documented. The sniffer created as a tool to assist debugging not a development tool. 

    We haven't got much development to the sniffer firmware in the last few years. So the situation remains the same. 

    I noticed another customer has managed to use tshark with the nrfsniffer. I haven't looked deep into this but maybe you can check ? https://www.adam-thomas.co.uk/blog/nrfutil-bluetooth-sniffer-with-tshark/

    Umer said:
    Also, I would like to know if I go with another appraoch like to use snifferAPI or nrfutil for automation purpose what would be the best appraoch? 

    The functionality exposed to nrfutil is quite limited. It's made to be used with wireshark so I don't think you will be able to get much out of it. You will need to use the snifferAPI. But please check with the article above. 

Children
No Data
Related