How do I filter empty pdu in wireshark?

RE: How do I filter empty pdu in wireshark?

Julien — Fri, 28 Jul 2017 09:37:58 GMT

One solution is to run with newest version of wireshark. You will have no more plugin problem as is is integrated into default dissector.

Wireshark 2.4.0 is last release today and it just require one manual configuration the first time you use it.

For the "simple user" with NRFsniffer1.0.1 here is a basic help on how to use wireshark 2.4.0 or more (note it could be simplified if Nordic does an update of it's nRFsniffer):

open the sniffer

press w as explained in docuementation

For the first time only you open Wireshark:

go to edit->preferences->protocols->DLT_USER

edit the encapsulation table and add "user10 (DLT=157)" with "nordic_ble" in payload protocol field.

With this, btle.length > 0 should work fine

RE: How do I filter empty pdu in wireshark?

Mitch996 — Mon, 17 Jul 2017 01:11:42 GMT

Install 64 bit wireshark v1.10.7 , beware of malwares when downloading from the internet.
run sniffer in admin privilege, it will automatically install all the plugins upon the first calling of wireshark.
if it doesn't work, i.e. btle not recognized as a field, copy ble-sniffer_win-64_1.0.1_1111_btle.dll from your sniffer directory to installation>\plugins<version>.

RE: How do I filter empty pdu in wireshark?

Mitch996 — Mon, 17 Jul 2017 00:37:18 GMT

Ha, that should be the trick, I'm using 1.12.7. Will switch back to Hung Bui's video tutorial version for a try, wish me luck, will update in the future!

RE: How do I filter empty pdu in wireshark?

Sigurd — Fri, 14 Jul 2017 10:33:23 GMT

If you open up the "Expression" filter, do you have BTLE there?:

RE: How do I filter empty pdu in wireshark?

Sigurd — Fri, 14 Jul 2017 10:30:18 GMT

What version of Wireshark you using? Only version 1.10.x should be used.

RE: How do I filter empty pdu in wireshark?

Mitch996 — Fri, 14 Jul 2017 10:04:03 GMT

Hi, tried running with the admin privileges, didn't work. The user guid isn't helpful.

Also when inputing filter, there should be a hint. btle is properlly recodnized, so are other fields, but there isn't a field called btle.length...

RE: How do I filter empty pdu in wireshark?

Mitch996 — Fri, 14 Jul 2017 09:52:57 GMT

Hi, I executed the plugin.bat file in which it executed the plugin.exe. I also copied ble-sniffer_win-64_1.0.1_1111_btle.dll to the wireshark directory, I did not find btle.dll so I copied the one with the most similar name. Now I get these error messages:

The procedure entry point check_col could not be located in the dynamic link library libwireshark.dll.

And:

couldn't load module c:\prog...\ble-sniffer_win-64.1.0.1_1111_btle.dll: c:\prog...\ble-sniffer_win-64.1.0.1_1111_btle.dll the specified procedure could not be found.

I'm trying to figure out what to do, but could you also please give me some idea?

RE: How do I filter empty pdu in wireshark?

Sigurd — Fri, 14 Jul 2017 09:31:18 GMT

Hi,

In your post are using lendgth instead of length. If it's not working with btle.length != 0, it could be because the correct plugins are not installed.

Note that you have to install the Wireshark plugins that comes with the nRF-Sniffer.

Run the Plugins.exe installer. If it's still not working, see the Troubleshooting chapter in the nRF-Sniffer User guide. I.e:

Wireshark does not recognize btle or nordic_ble, and the Sniffer program cannot find version information for the plugins.

Run the Sniffer as Administrator. This should install the plugin automatically.

If you are running the Sniffer program manually:

Copy btle.dll and nordic_ble.dll from the Sniffer directory to \plugins<version>.

Use the files in ...\plugins[Wireshark major version]\windows\x64 if your Wireshark version is 64 bit, or the files in ...plugins[Wireshark major version]\windows\x86 if Wireshark is 32 bit.

RE: How do I filter empty pdu in wireshark?

Mitch996 — Fri, 14 Jul 2017 09:30:27 GMT

@Sigurd

Hello? That's exactly what failed me?

RE: How do I filter empty pdu in wireshark?

Sigurd — Fri, 14 Jul 2017 09:24:28 GMT

Hi,

Try btle.length != 0 instead. This works fine here :)