nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Hello, 

I'm not sure I understand the question. Can you please elaborate more on what you are trying to achieve?

Thank you.

Kind regards,
Øyvind

the problem is that when I sniff with a python script, the packets are not well analyzed. but when I use Wireshark the packets are well captured.

Attached is the screenshot of the Pcap file generated with the python script and the Wireshark capture.

in the attached photo the colored lines (orange, blue, green) in the python script should be like the colored lines in Wireshark.

We also note that the time corresponds well to what is captured by Wireshark, but the capture stops in the IEEE 802.15.4 layer instead of going to the CoAP layer

Note: the sniff with python and with Wireshark are launched at the same time

Hello,

Attached are the two Pcap files:

Pcap_Failed.pcap: this is the file generated with the python script.                                              Pcap_Passed.pcap: this is the file save with Wireshark

Note: In the pcap_Passed file, packets from 16 to 22 should match packets from 1 to 7 in the pcap_Failed.pcap file

Thanks, 

Best regards,

Ayoub GH

,Pcap_Failed.pcapPcap_Passed.pcapng

I've forwarded these to one of our WireShark experts. He replies that it works for him. What version of Wireshark are you running?

Here is the "failed" file at his end. Note that without encryption key, it is not possible to see CoAP content:

I use Wireshark version 3.4.6

For the encryption key here is the screenshot:

Best regards,

Ayoub GH

Our experts is not able to reproduce and answers that it looks good to him. Looking at the pcap file, he does not suspect an issue with the python script either. 

In Pcap_Failed you are missing a 802.15.4 Broadcast packet with full source address to be able to recreate the "Extended Address" (needed for decryption) on packets without full source address. You can see this in "Source Address Mode" Long vs. Short in the 802.15.4 Frame Control Field, and the following "No extended source address - can't decrypt" warning from Wireshark. In working packets you will find a "Origin" field with a reference to this Broadcast packet.

In Pcap_Passed you have several of this packets in the beginning.

In the attached Pcap_Failed_Fixed I have manually copied packet 6 to the beginning of the file, and then the decryption should work.

Pcap_Failed_Fixed.pcap

In Pcap_Failed you are missing a 802.15.4 Broadcast packet with full source address to be able to recreate the "Extended Address" (needed for decryption) on packets without full source address. You can see this in "Source Address Mode" Long vs. Short in the 802.15.4 Frame Control Field, and the following "No extended source address - can't decrypt" warning from Wireshark. In working packets you will find a "Origin" field with a reference to this Broadcast packet.

In Pcap_Passed you have several of this packets in the beginning.

In the attached Pcap_Failed_Fixed I have manually copied packet 6 to the beginning of the file, and then the decryption should work.

Pcap_Failed_Fixed.pcap

Hi Stig,

Apologies for breaking in like this. I have the same issue. I am not using a script but standard Wireshark UI. 

Could you please elaborate a bit more on how you solved this?

Thanks,

Kay

Hi Kay, as this ticket is fairly old please open a new ticket and provide a description of your issue and what environment you are running. 

Thanks. 

Kind regards,
Øyvind