Wireshark BLE L2CAP packet reassembly

RE: Wireshark BLE L2CAP packet reassembly

Stig — Fri, 26 Aug 2016 12:35:38 GMT

As a temporary workaround (until nRFSniffer is updated) it's possible to capture with Wireshark 1.10.x and then save the capture file to be used in Wireshark 2.x.x to use the updated BLE dissectors.

RE: Wireshark BLE L2CAP packet reassembly

David Edwin — Fri, 26 Aug 2016 11:35:07 GMT

That is good if it works. This other question would be related to getting the latest wirehshark to work properly. devzone.nordicsemi.com/.../

Can you try it and let us know if this works for you ?

RE: Wireshark BLE L2CAP packet reassembly

Stig — Tue, 09 Aug 2016 20:46:40 GMT

The latest development version of Wireshark has support for BLE L2CAP reassembly, and even the Nordic BLE sniffer meta header (so you don't need the plugin).

You can try one of the latest automated builds from www.wireshark.org/.../

RE: Wireshark BLE L2CAP packet reassembly

RK — Fri, 08 Jul 2016 15:45:30 GMT

Wireshark is open source. Post a message on the developer list saying you think this feature is useful and ask how it should be implemented, then write the code and submit a pull request.

RE: Wireshark BLE L2CAP packet reassembly

Elm — Fri, 08 Jul 2016 15:32:21 GMT

Hi,

I just wants to add that there are more companies in need of fragments handling in Wireshark. At least my company. How would I do to show my interest and even possibly support such work?

regards, Elm

RE: Wireshark BLE L2CAP packet reassembly

RK — Tue, 21 Jun 2016 12:23:55 GMT

There were quite a lot of changes to the BLE dissectors between 1.10/1.11 and 1.12 which is very similar to what ended up in 2.x and I'm not entirely sure I totally understand some of them. Some of the useful header information (like direction) is explicitly stripped on the way down the dissector chain which seemed a bit daft to me. I have to assume that there were cases it was wrong but I didn't manage to get a straight answer out of the mailing list.

I maintain the OSX port of the sniffer, I didn't have trouble on 1.12, but had to make a few changes to support 2.x and recompile it against latest libraries and use that one now, and live with the annoyances in the latest BLE dissector codebase.

RE: Wireshark BLE L2CAP packet reassembly

cgreen — Tue, 21 Jun 2016 12:15:13 GMT

Thanks for the clarification. I can see the packet fragments and can manually extract the header/reassemble the value but as RK mentioned I was looking for a way similar to TCP and SSL protocols to have wireshark automatically reassemble the L2CAP fragments.

FYI I'm using wireshark v 1.12.5 and have noticed that the nordic BLE sniffer meta doesn't show up correctly in newer versions (I have had to mention using an older version to several colleagues). One colleague uses 1.10.x and the L2CAP fragments show as "Malformed Packet" rather than "L2CAP Fragment"

RE: Wireshark BLE L2CAP packet reassembly

RK — Tue, 21 Jun 2016 12:02:00 GMT

You can see the individual packets but wireshark's BLE dissector doesn't re-assemble separate packet fragments into entire messages in the same way it does with some TCP and other protocols. That was what the OP was asking.

RE: Wireshark BLE L2CAP packet reassembly

FormerMember — Tue, 21 Jun 2016 11:20:45 GMT

It should work fine to see prepare write request/response in wireshark. Which version of wireshark do you use? The sniffer works best with version 1.10.x (I just tested with wireshark 1.10.14).

RE: Wireshark BLE L2CAP packet reassembly

RK — Tue, 21 Jun 2016 01:55:23 GMT

Nope. There's no code in wireshark which does that for BLE. In fact there's not much stateful conversation parsing in the BLE dissectors at all.

You could add code to do that and submit it to wireshark, but you probably want to check it's not already on someone's radar and if it's the kind of stateful dissection they'd want.