btlejack
btlejack copied to clipboard
virtualabs
Wireshark seeing malformed packets
On Ubuntu 20.04, when I run the following:
btlejack -c any -w /tmp/ble -o ble_test.pcap
BtleJack version 2.1
[i] No output format supplied, pcap format will be used
[i] Waiting for wireshark ...
[i] Detected sniffers:
> Sniffer #0: version 2.1
LL Data: 45 22 aa 82 1d 47 e1 6c aa 94 a1 0e 6c 94 95 84 9a af b3 35 fa 03 14 00 18 00 00 00 48 00 00 00 c0 d7 0f 0e
[i] Got CONNECT_REQ packet from 6c:e1:47:1d:82:aa to 94:6c:0e:a1:94:aa
|-- Access Address: 0xaf9a8495
|-- CRC Init value: 0xfa35b3
|-- Hop interval: 24
|-- Hop increment: 14
|-- Channel Map: 0fd7c00000
|-- Timeout: 720 ms
LL Data: 03 06 0c 0b 0f 00 11 02
LL Data: 03 06 0c 0b 0f 00 11 02
LL Data: 03 06 0c 0b 0f 00 11 02
LL Data: 03 06 0c 0b 0f 00 11 02
LL Data: 03 06 0c 0b 0f 00 11 02
LL Data: 03 06 0c 0b 0f 00 11 02
LL Data: 03 06 0c 0b 0f 00 11 02
LL Data: 03 06 0c 0b 0f 00 11 02
Wireshark/tshark sees the following:
tshark -i /tmp/ble
Capturing on '/tmp/ble'
1 0.000000 af:9a:84:95:94:aa → Renasis_fa:35:aa LE LL 33 ADV_DIRECT_IND
2 0.019143 → LE LL 7 UnknownDirection [Malformed Packet]
3 0.049076 → LE LL 7 UnknownDirection [Malformed Packet]
4 0.079197 → LE LL 7 UnknownDirection [Malformed Packet]
5 0.109192 → LE LL 7 UnknownDirection [Malformed Packet]
6 0.139112 → LE LL 7 UnknownDirection [Malformed Packet]
7 0.169077 → LE LL 7 UnknownDirection [Malformed Packet]
8 0.199098 → LE LL 7 UnknownDirection [Malformed Packet]
I thought perhaps it was because of the older version of Wireshark I'm running (to use someone else's custom BLE dissector), but I copied the ble_test.pcap to a system with the latest version of Wireshark, and it also saw the packets as malformed.
I'm also wondering why btlejack says it's seeing a CONNECT_REQ but wireshark thinks it's an ADV_DIRECT_IND?
Am I doing something wrong on my end?
