androidbluetoothbluetooth-lowenergypacket-snifferssniffer

Why does using pyshark giving me inappropriate results with BLE PCAP


I have limited experience with pyshark/scapy, such as capture Bluetooth low energy from sniffer devices. I have unsuccessfully searched for a solution. Any thoughts or suggestions on how to achieve this are welcome. Thanks in advance.

Setup:

I have two sniffer devices which are the Ubertooth one and nrf51-DK. A smartwatch with BLE 4.1 and Android smartphone. The platform is ubuntu 14.04.

Goal:

My goal is to capture the communication between the smartwatch and phone, during the operation of an app(for example: album or browser). All I need is the packet length, source, and destination address.

Current Status:

Initially, I started with nrf51-DK. It doesn't capture from the pairing process, so I bought the Ubertooth device, It shows the paring process, but it doesn't show any other useful components of communication between the two devices. But, there is something called "unknown", seen in the image below.

Wireshark with no Source and Destination in Unknown info

Questions:

1. Is it possible to capture at least 90% of the transmission between the smartwatch and smartphone?

  1. The Wireshark didn't display any address(Source and Destination). Am I still able to decode "Unknow" by using pyshark/scapy?

Notes:

For question 1, I've looked around and found the following:

"This feature causes the MAC address within the advertising packets to be replaced with a random value that changes at timing intervals determined by the manufacturer. Any malicious device(s), placed at intervals along your travel route, would not be able to determine that the series of different, randomly generated MAC addresses received from your device actually relates to the same physical device. It actually looks like a series of different devices, thus, it will not be possible to track you using the advertised MAC address"

so I'm not really sure that the Ubertooth-one or other sniffer devices are able to capture 90% of the transmission.

For question 2, I have saved the PCAP file and trying using pyshark and scapy to display the source and destination address in python, but it doesn't contain an address:

cap = pyshark.FileCapture('Test_1.pcap')
print(cap[2].ip.src)

OUTPUT:

pyshark.tshark.tshar.TsharkNotFoundException: Tshark not found. Try adding its location to the configuration file.

I guess the version of my Wireshark is lower than the pyshark requirement. (current: 1.12.1). But, I have to use the older version of the Wireshark for my sniffer device. Therefore, I'm not really sure if the older version Wireshark cause the problem or the way I'm using pyshark is wrong.

question 2 update:

apt install tshark

I wanted to know if it is good practice to do so, and if not, what would be the best way to achieve this?


Solution

  • As long as the sniffer catches the CONNECT_IND packet (previously called CONNECT_REQ), it will be able to follow the whole connection. Naturally, some packets might be missed if the signal isn't good enough. If a channel map or connection parameter update takes place, it's vital that the sniffer gets this packet (otherwise it will lose sync with the connection).

    The Bluetooth Device Address is not sent in every packet. It is only sent in the CONNECT_IND packet (and the advertisement packet).

    The problem you have with Wireshark is probably because you decode it using the wrong plugin/decoding format. See the documentation for your sniffer.