nRF Sniffer decryption is not working after entering passkey

Can you mention the wireshark version used, nRF sniffer version used and board version.

Q2: Yes, nRF Sniffer should be able to sniff the subsequent re-connections.

Q1: Seems to be as expected on actions. On the timing of actions, ensure that the wireshark has the PIN before you tap to accept on the device screen (which you seem to have done as well).

Ensure you are using the nRF Sniffer v2 Beta 3 .

I will investigate after you have posted the versions of the software and hardware as requested above.

I installed software last Friday, so should be "latest".

Wireshark says 2.6.4

I have two nRF52 boards with labels that say PCA10040 1.2.4 2018.39 (nRF sniffer) and 2018.49 (Peripheral).

nRF Sniffer was extracted from a zip file nrf_sniffer_2.0.0-beta3_12oct2018_1c2a221.zip

I confirm that I entered the passkey in Wireshark before entering it in the Central.

The peripheral, slave and central are within say 75cm of each other. AFAIK I disable BLE on other nearby devices.

I have just tried sniffing a different peripheral which uses Just Works bonding (no passkey). I continued to use nRF Connect on the Samsung phone. They bond correctly but nRF Sniffer behaves the same, with "Encrypted packet decrypted incorrectly" immediately after the LL_START_ENC_REQ packet.

sniffer_pca10040_mic_recover_v2_18Dec2018.hex

This seems to perform better for MIC failure. can you test this and let me know.

Edit: Updated hex fix

Acutetech I'm having an identical issue with Wireshark 3.0.1 with the latest nrf sniffer nrfsniffer200beta312oct20181c2a221 with the nRF52840 DK board. I can't seem to get decryption to work reliably, I do sometimes see correct value at the attribute even with the MIC error message but it only works for the first few transmissions before it't completely broken. Were you ever able to resolve this issue?

I could not resolve the problem and gave up.

This is pure speculation: I had another problem with notification data being corrupted, which was later fixed by a library update, or similar (I think to BLE Library 2.0.4). I wonder if there could be a connection? For this other problem see devzone.nordicsemi.com/.../167037

There is a new release being worked on to fix encryption issues and seems to perform better.nrf_sniffer_2.0.0-temp_beta-4_2May2019_47b3f5f.zip

You can try this and let me know if this works better. Unfortunately this snapshot that I uploaded here has not yet been tested for passkey but has been tested for Justworks pairing.

Edited: The sniffing of encrypted link  is improved only for the nRF52xxx based development kits, the performance of the nRF51 based development kits when used as sniffer remains the same as the previous release.

David, I used the file you provided, although I had to change the contents of the nrf_sniffer.bat file to get Wireshark to recognize the devboard.

@echo off
python "%~dp0nrf_sniffer.py"  %*

The bad MIC error is still there, it seems that it decrypts the first few transactions correctly and then starts to fail and doesn't recover. What seems to work better is the disconnect/reconnect detection, in the previous build I could never get packets when there was a disconnect and the strap started advertising or when it tried to establish a new connection.

David, I used the file you provided, although I had to change the contents of the nrf_sniffer.bat file to get Wireshark to recognize the devboard.

@echo off
python "%~dp0nrf_sniffer.py"  %*

The bad MIC error is still there, it seems that it decrypts the first few transactions correctly and then starts to fail and doesn't recover. What seems to work better is the disconnect/reconnect detection, in the previous build I could never get packets when there was a disconnect and the strap started advertising or when it tried to establish a new connection.

Can you share your pcap file ?

<<Reminder>> : Can you share your pcap file

Additional comment:

Make sure that the sniffer board is between the central and peripheral.
Keep a minimum separation of about 10cm between the sniffer and the other boards.
(the sniffer's ability to decrypt is still sensitive to packet loss)