This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Understanding Wireshark logs

Hi,

I am trying to understand Wireshark logs when sniffing packets. Please check the attachment. I have been reading about the description of advertising packets. Can you please check my logs and explain me which are the actual data packets? These logs were captured for BLE_UART example.uart_log.pcapng

Parents
  • Hello,

    I looked at your sniffer log, and it contains a lot of advertising devices, not only your BLE UART device. I can't see that the devices actually connect from your log, and I can't see the packets from when they are in a connection (these packages are on different channels than the advertising channels). I see that there are many different devices by the source addresses of the devices.

    If you want to capture the packets from your connection you have to select your device from the drop down menu near the top of the wireshark window. When it is selected the sniffer will filter out any other BLE packets, and it will follow the channel hopping when a device connects to your UART device.

    So to answer your question, the data packets are not included in this sniffer trace. If you filter on the Nordic UART device before you connect, you should be able to see the data packets in between the empty PDU packets that will be sent each connection interval if the devices doesn't have any actual payload to send.

    Let me know if you still can't find them after filtering on your device.

    Best regards,

    Edvin

Reply
  • Hello,

    I looked at your sniffer log, and it contains a lot of advertising devices, not only your BLE UART device. I can't see that the devices actually connect from your log, and I can't see the packets from when they are in a connection (these packages are on different channels than the advertising channels). I see that there are many different devices by the source addresses of the devices.

    If you want to capture the packets from your connection you have to select your device from the drop down menu near the top of the wireshark window. When it is selected the sniffer will filter out any other BLE packets, and it will follow the channel hopping when a device connects to your UART device.

    So to answer your question, the data packets are not included in this sniffer trace. If you filter on the Nordic UART device before you connect, you should be able to see the data packets in between the empty PDU packets that will be sent each connection interval if the devices doesn't have any actual payload to send.

    Let me know if you still can't find them after filtering on your device.

    Best regards,

    Edvin

Children
  • So nordic DK with Wireshark, does it act as hardware or software protocol analyzer?

  • I checked with ble_blinky code and have attached the wireshark log. Can you please point out the actual data packets from attached log? 

    blinky.pcapng

  • All the Empty PDU packets that you see are empty packets. Each device has to send one packet per connection interval, so they are Empty PDU packets unless it has some useful data to send.

    So, the data packets look a bit different depending on what your application is doing. Who is sending the data, and whether or not it is notifications or not.

    In the ble_app_blinky example, it is the master/central who is controlling the LED of the slave/peripheral. This means that the master is sending a write request, and the slave is responding with a write response.

    In the sniffertrace that you sent, there are first a lot of advertising packets. On packet 11908, you can see the connection request from the master. Then there are some connection establishing packets back and forth. If you look on packet 13325, you can see that the master is sending a write request with value 00. On packet 13328 the slave responds, saying that the request was granted, and now the value has changed.

    Then, on packet 13329 the master sends a read request, and packet 13332 is a response, with the value of the read request (which is 0x00, which is what the master wrote). 

    On packet 13333 the the master sends a new write request, now with value 0x01, and the slave responds on 13336, the master sends a read request on 13337 and the read response from the slave is on 13340.

    So all these packets are coming from the master toggling the LED on the slave.

    If you compare this with an example where the slave/peripheral is pushing data to the master/central through notifications, it will look a bit different. You can test with e.g. the ble_app_uart example. There the peripheral will just push the data to the master whenever it is updated. There are no read/write requests/responses on these when the peripheral is sending packets. But you will see the requests/responses when the master is writing back to the peripheral.

    Best regards,

    Edvin

  • That's a pretty nice explanation Edvin!! Thanks. Next I'll try with ble_app_uart example. One more question where are you checking the values or changes in values?

  • bscdb said:
    One more question where are you checking the values or changes in values?

     That is a pretty open question. Do you mean in the sniffer log? That would be the read requests. Do you mean in the source code? Are you talking about the peripheral or the central? 

Related