This article provide help about how to use the STM32 Sniffer for Bluetooth® LE with Wireshark. It is supposed that you've already installed the sniffer, if it is not the case, you can follow this guide.
1. Starting the capture
Plug your sniffer board and open Wireshark.
1.1. Optional configuration
- In Wireshark, click on the wheel on the left of the STM32 sniffer interface to open the interface configuration menu.
- The channel index parameter is the channel on which the sniffer will listen when started. It can be changed later on the fly. By default it is channel index 39.
- This is the channel index, not the frequency index. e.g (primary adverstising channels indexes are 37, 38 and 39).
Optional parameter |
---|
1.2. Launching the capture
To start the capture:
or
Optional parameter |
---|
1.3. Sniffer started
You should now see the advertising packets on the channel you configured.
Optional parameter |
---|
2. Following a connection
Once the sniffer is started is reports advertising, scan requests and scan requests of all devices. You can then set the BD address of your target device that you want to follow when a connection to it occur.
Setting a target to follow |
---|
Now you should only see:
- Advertising and scan responses packets from the target
- Scan requests to the target
- Connection packets from and to the target
Target set |
---|
If after setting the target there is no more packets incoming either:
- There is no device with this BD address advertising on this channel
- The sniffer has not received the command, set again the target (you will need to make a change to be able to apply changes. Just delete the last number and reenter it)
Now if a device connect to your target and the sniffer intercept the CONNECT_IND packet you will start to see the communications between the two devices.
Connection intercepted |
---|
Now you have some additional data:
- The direction column indicates the direction of the packets
- The color of the lines is alternating for each connection event
If the connection is terminated or if the sniffer loose it, it will return to the advertising channel you have configured before.
3. Multiple interfaces capture
Because the sniffer can listen to only one channel at a time, capturing from multiple hardware interfaces can be very useful. You can capture the traffic on all advertising channel and pick up the connect request no matter on which channel it happens. You can also follow multiple links.
To capture with multiple sniffers, plug your boards and to start the capture:
Start capturing from multiple interfaces |
---|
During the capture you can identify on which sniffer the packets have been captured:
Capture example from multiples interfaces |
---|
To control each sniffer:
Controlling multiples interfaces |
---|
In case you want each sniffer to be able to intercept a connection, enter for each sniffer the target BD address.
4. Key input
For links that will be encrypted without debug mode or legacy pairing just work, the sniffer needs additional data to decrypt the traffic. On the right side of the toolbar, you have a key type selector and an associated value field. This input gives you the possibility to provide additional data that the sniffer can't know only by listening to the over the air communications. You can give the following data:
- Legacy passkey: The key entered shall be 128bits wide. The PassKey shall be zero-padded. For example, if the passkey was 401190 (decimal) -> 0x61F26 (hexa) you shall enter : 000000000000000000000000000061F6.
- Legacy OOB data: The key entered shall be 128bits wide. The value shall be entered with the MSO on the leftmost byte.
- LTK: The key entered shall be 128bits wide. The value shall be entered with the MSO on the leftmost byte. The key will be used if during a secure connection pairing if none of the devices are in debug mode.
The key shall be entered:
- The pairing start for legacy PassKey and OOB data
- Before the LL encryption start for the LTK