This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Is it possible to sniff 6lowpan\coap over BLE with wireshark?

I'm using the latest SDK (14.1) and have got a working COAP server running over BLE on a nRF52DK, and can exercise the service from my Ubuntu desktop without any problem.

I have a separate windows machine running the Nordic sniffer which I've been using successfully to sniff GATT data.

Is is possible to configure Wireshark to decode the 6lowpan traffic over BLE, if so how.

At the moment I can see the connect request, but no more. I'm not sure if I'm just missing a configuration step, or if there's some fundamental piece not missing. I can't believe I'm the first person to try this, but I don't see anyone else asking the same question.

Any suggestions?

Thanks.

iot trace fail.pcapng

  • Hi Phil, this should be possible, i.e. Wireshark should be able to decode the 6lowpan packet within the BLE packets. Could you post a trace? Also you should use Wireshark 2.4.1 or greater as it supports re-assemply of longer BTLE frames.

  • Thanks Bjørn, I'm using Wireshark 2.4.2. I've attached a capture to the original question. You can see in there the peripheral advertising with occasional scan requests originating from my phone.

    At packet #354 I attempt a GATT connection with nRF connect on my phone, the connection is OK, and you can see the connection is maintained for a while until the app disconnects.

    Then at #1555 I connect from my ubuntu box, and the trace ends at the connect request. The connect actually succeeds and I can exercise the COAP server.

    If I disconnect the Ubuntu box, I see advertising resume but subsequent connects result in the same behaviour, I see the connect request but no more.

    I feel like there's some configuration step I've missed out somewhere. If I create a connection with hcitool lecc I see the connection initial feature exchange MTU negotiation and then empty connection events with no problem.

  • From the provided capture file it looks like the Sniffer is unable to follow into connection to capture the packets.

    Wireshark will show this without any configuration, except from the key files if you are using DTLS. This screenshot shows how it will look like in the packet details:

    image description

  • There is a known issue with the nRF Sniffer where it is not able to follow link into a connection, please see this answer for some suggested solutions.

  • Stig, Bjørn,

    Thanks both of you for your help. I went back to basics, shut everything down and brought it all up again, repeating the steps I'd done previously, but skipping the things that hadn't worked. The 6LowPan connection came up and the sniffer caught the connect and all the subsequent 6LowPan traffic including the COAP traffic.

    Thanks again. Phil.

Related