nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Øyvind — Wed, 17 Apr 2024 06:30:14 GMT

Hi Kay, as this ticket is fairly old please open a new ticket and provide a description of your issue and what environment you are running.

Thanks.

Kind regards,
Øyvind

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

kaushalyasat — Wed, 17 Apr 2024 03:29:49 GMT

Hi Stig,

Apologies for breaking in like this. I have the same issue. I am not using a script but standard Wireshark UI.

Could you please elaborate a bit more on how you solved this?

Thanks,

Kay

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Ayoub GH — Thu, 12 Aug 2021 13:47:20 GMT

I thank you for your answer and for all this very useful information, it allowed me to understand well the problem of the sniffer.

I have two other questions to ask you about this problem:
- Why does it sometimes work very well and I have no problem decrypting package with python sniffer ?

- Since it seems it's a problem of configuration of sub layers (Coap, 6LowPan, IPv6, IEEE 802.15.4 ...) in my python script, is there a way to configure the sniffer in Python? At the moment, I only use extcap_capture function, however in wireshark, I followed the explainations in the folowing documentation :
infocenter.nordicsemi.com/.../nRF_Sniffer_802154_User_Guide_v0.7.2.pdf

Whould you know the needed function to do a correct configuration with Python librarires?

Best regards,

Ayoub GH

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Stig — Wed, 11 Aug 2021 19:48:21 GMT

In Pcap_Failed you are missing a 802.15.4 Broadcast packet with full source address to be able to recreate the "Extended Address" (needed for decryption) on packets without full source address. You can see this in "Source Address Mode" Long vs. Short in the 802.15.4 Frame Control Field, and the following "No extended source address - can't decrypt" warning from Wireshark. In working packets you will find a "Origin" field with a reference to this Broadcast packet.

In Pcap_Passed you have several of this packets in the beginning.

In the attached Pcap_Failed_Fixed I have manually copied packet 6 to the beginning of the file, and then the decryption should work.

devzone.nordicsemi.com/.../Pcap_5F00_Failed_5F00_Fixed.pcap

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Øyvind — Wed, 11 Aug 2021 18:04:53 GMT

Our experts is not able to reproduce and answers that it looks good to him. Looking at the pcap file, he does not suspect an issue with the python script either.

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Ayoub GH — Wed, 11 Aug 2021 13:49:40 GMT

I use Wireshark version 3.4.6

For the encryption key here is the screenshot:

Best regards,

Ayoub GH

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Øyvind — Wed, 11 Aug 2021 13:37:59 GMT

I've forwarded these to one of our WireShark experts. He replies that it works for him. What version of Wireshark are you running?

Here is the "failed" file at his end. Note that without encryption key, it is not possible to see CoAP content:

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Ayoub GH — Wed, 11 Aug 2021 09:07:00 GMT

Hello,

Attached are the two Pcap files:

Pcap_Failed.pcap: this is the file generated with the python script. Pcap_Passed.pcap: this is the file save with Wireshark

Note: In the pcap_Passed file, packets from 16 to 22 should match packets from 1 to 7 in the pcap_Failed.pcap file

Thanks,

Best regards,

Ayoub GH

,devzone.nordicsemi.com/.../Pcap_5F00_Failed.pcap devzone.nordicsemi.com/.../Pcap_5F00_Passed.pcapng

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Øyvind — Wed, 11 Aug 2021 08:49:01 GMT

Hello, can you please provide both pcaps, one working and one failing?

Thanks.

Kind regards,
Øyvind

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Ayoub GH — Tue, 10 Aug 2021 13:11:20 GMT

the problem is that when I sniff with a python script, the packets are not well analyzed. but when I use Wireshark the packets are well captured.

Attached is the screenshot of the Pcap file generated with the python script and the Wireshark capture.

in the attached photo the colored lines (orange, blue, green) in the python script should be like the colored lines in Wireshark.

We also note that the time corresponds well to what is captured by Wireshark, but the capture stops in the IEEE 802.15.4 layer instead of going to the CoAP layer

Note: the sniff with python and with Wireshark are launched at the same time

RE: nRF Sniffer integration for 802.15.4 in a python scipt (Pcap file problems)

Øyvind — Tue, 10 Aug 2021 12:55:43 GMT

Hello,

I'm not sure I understand the question. Can you please elaborate more on what you are trying to achieve?

Thank you.

Kind regards,
Øyvind