• State Not Answered
  • Replies 10 replies
  • Subscribers 62 subscribers
  • Views 6981 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 114626
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Wireshark BLE L2CAP packet reassembly

cgreen

I have some BLE traffic that I have sniffed and am displaying in Wireshark. Most of the opcodes (read/write request/response indications/notifications etc.) are parsed/displayed correctly. However, I have some packets that are prepare write requests/responses and these just show as L2CAP fragments. Is there a way to reassemble fragmented prepare write requests/responses in Wireshark so that I can see the header data (attribute opcodes 0x16, 0x17) and reassembled value?

Parents
  • FormerMember
    0 FormerMember

    It should work fine to see prepare write request/response in wireshark. Which version of wireshark do you use? The sniffer works best with version 1.10.x (I just tested with wireshark 1.10.14).

  • 0 in reply to FormerMember

    Thanks for the clarification. I can see the packet fragments and can manually extract the header/reassemble the value but as RK mentioned I was looking for a way similar to TCP and SSL protocols to have wireshark automatically reassemble the L2CAP fragments.

    FYI I'm using wireshark v 1.12.5 and have noticed that the nordic BLE sniffer meta doesn't show up correctly in newer versions (I have had to mention using an older version to several colleagues). One colleague uses 1.10.x and the L2CAP fragments show as "Malformed Packet" rather than "L2CAP Fragment"

Reply
  • 0 in reply to FormerMember

    Thanks for the clarification. I can see the packet fragments and can manually extract the header/reassemble the value but as RK mentioned I was looking for a way similar to TCP and SSL protocols to have wireshark automatically reassemble the L2CAP fragments.

    FYI I'm using wireshark v 1.12.5 and have noticed that the nordic BLE sniffer meta doesn't show up correctly in newer versions (I have had to mention using an older version to several colleagues). One colleague uses 1.10.x and the L2CAP fragments show as "Malformed Packet" rather than "L2CAP Fragment"

Children
No Data
Related