Hello All,
I am trying to add full Bluetooth support to a Wireshark. Wireshark can be
used as replacement for "hcidump" or other GUI applications for displaying
Bluetooth frames/packets.
Currently Wireshark support:
1. Sniffing via Bluetooth dongle
2. Protocols/Profiles:
HCI (without BLE)
L2CAP
SDP (little broken)
RFCOMM 1.1
OBEX (so all OBEX profiles can be treat as supported)
AMP
HID 1.0
SAP 1.1
BNEP 1.0
AVCTP 1.4
AVRCP 1.5
At this moment I am working on: (finishing)
1. ATT
2. HCRP
3. MCAP
4. AVDTP/A2DP/VDP
So I need a lot of Bluetooth logs to test them. Could you send me all your
logs? Profile or protocol there is not important [SAP? OK!], but only
BT SNOOP format is requires, of course PCAP too. Please share your logs, to my e-mail or wherever you want,.
I guess logs may be useful for other BlueZ developer too (so... logs database?)
I will be very happy if somebody send me AVDTP/A2DP/VDP logs where used all
known codecs (mean MPEG12_AUDIO//MPEG24_AAC/ATRAC/ H263/MPEG4)
Try Wireshark :)
PS. "tshark -r hcidump.log" is similar to "hcidump"
Regards / Pozdrawiam
-------------------------------------------------------------------------------------------------------------
Micha? ?ab?dzki
ASCII: Michal Labedzki
e-mail: [email protected]
---
Tieto Corporation / Tieto Poland
http://www.tieto.com / http://www.tieto.pl
---
Tieto Poland sp??ka z ograniczon? odpowiedzialno?ci? z siedzib? w Szczecinie, ul. Malczewskiego 26. Zarejestrowana w S?dzie Rejonowym Szczecin-Centrum w Szczecinie, XIII Wydzia? Gospodarczy Krajowego Rejestru S?dowego pod numerem 0000124858. NIP: 8542085557. REGON: 812023656. Kapita? zak?adowy: 4 271500 PLN
Hi Michal,
> Have you looked into supporting the new HCI_CHANNEL_MONITOR available in
> recent kernels? There's a very simple "btmon" command-line tool for it
> in bluez.git (see e.g. monitor/control.c) but it can't do any kind of
> high-level decoding (e.g. profiles). It'd be interesting to know if it
> could be easily supported in wireshark since right now there doesn't
> seem to be a viable way of porting decoders from hcidump to btmon due to
> their very different ways of handling buffers etc.
>
> One of the big benefits of the monitor channel compared traditional HCI
> sockets is that you get dynamic notifications of added and removed
> adapters including the very early HCI traffic that occurs. In the long
> run I think the idea is to add also "replay" connection events for
> existing ACL and L2CAP links so that you'd get the right protocol
> decoded even if you start logging when the connection already exists.
I can only second this. Wireshark should only be using the new monitor
socket that we introduced. It could be compared to the pseudo interface
for network interfaces with extra information about added and removed
adapters. It will also tell you if you see a BR/EDR/LE controller vs AMP
controller HCI device.
Especially if you want to do Bluetooth High-Speed debugging, you need to
be able to trace a BR/EDR/LE controller + AMP controller at the same
time.
In addition it will tell you the BD_ADDR of the controller even if you
missed the initial setup HCI packets. That allows for an unique matching
of traffic from different HCI devices even after unplug-replug and their
device names and indexes differ.
The protocol for it is documented in include/net/bluetooth/hci_mon.h in
the kernel code. It is really simple and does support SCM_TIMESTAMP.
Regards
Marcel
Hi MichaĆ,
On Fri, Sep 28, 2012 at 04:07:44PM +0300, [email protected] wrote:
> Hello All,
>
> I am trying to add full Bluetooth support to a Wireshark. Wireshark can be
> used as replacement for "hcidump" or other GUI applications for displaying
> Bluetooth frames/packets.
>
> Currently Wireshark support:
> 1. Sniffing via Bluetooth dongle
> 2. Protocols/Profiles:
> HCI (without BLE)
HCI also does not have full support for AMP HCI commands. I can send that
log.
Best regards
Andrei Emeltchenko
Hi Michal,
On Fri, Sep 28, 2012, [email protected] wrote:
> I am trying to add full Bluetooth support to a Wireshark. Wireshark can be
> used as replacement for "hcidump" or other GUI applications for displaying
> Bluetooth frames/packets.
>
> Currently Wireshark support:
> 1. Sniffing via Bluetooth dongle
> 2. Protocols/Profiles:
> HCI (without BLE)
> L2CAP
> SDP (little broken)
> RFCOMM 1.1
> OBEX (so all OBEX profiles can be treat as supported)
> AMP
> HID 1.0
> SAP 1.1
> BNEP 1.0
> AVCTP 1.4
> AVRCP 1.5
>
> At this moment I am working on: (finishing)
> 1. ATT
> 2. HCRP
> 3. MCAP
> 4. AVDTP/A2DP/VDP
Have you looked into supporting the new HCI_CHANNEL_MONITOR available in
recent kernels? There's a very simple "btmon" command-line tool for it
in bluez.git (see e.g. monitor/control.c) but it can't do any kind of
high-level decoding (e.g. profiles). It'd be interesting to know if it
could be easily supported in wireshark since right now there doesn't
seem to be a viable way of porting decoders from hcidump to btmon due to
their very different ways of handling buffers etc.
One of the big benefits of the monitor channel compared traditional HCI
sockets is that you get dynamic notifications of added and removed
adapters including the very early HCI traffic that occurs. In the long
run I think the idea is to add also "replay" connection events for
existing ACL and L2CAP links so that you'd get the right protocol
decoded even if you start logging when the connection already exists.
Johan
Hi Michal,
> > I think you must have misunderstood what I was trying to say. Did you
> > actually look into what the monitor socket we talked about is? I wasn't
> > trying to say wireshark shouldn't be used (so no point in iterating it's
> > benefits - you've already convinced me) but that its Bluetooth decoding
> > support be ported from traditional HCI sockets to use monitor sockets
> > instead. This wouldn't give us any new decoders to wireshark but it
> > would allow early HCI traffic decoding (e.g. on plugged in USB dongles)
>
> Hmm... Do you mean something like:
> https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5032
that is Bluetooth HCI data inside USB traffic captured via usbmon
interfaces. Would work as well, but you need a lot of filtering to get
the right data that you are looking for. Especially problematic if the
device is not on USB or split across multiple USB busses. Which is
possible with Bluetooth 3.0 HighSpeed.
The Bluetooth monitor socket would give all at once. And will also give
you some extra data in case you missed the initial packets when the
adapter was plugged in. Like type (BR/EDR vs AMP) and address.
> I will look at that and I this is on my TODO list. But please note that my first goal is add
> full Bluetooth stack support to Wireshark (profiles and protocols). When this will be done I want to and other stuff like BToverUSB, etc.
You will never be done with all profiles and protocols. I have been
working with Bluetooth for over 11 years, they will always come with
another protocol or profile.
> The purpose of my visit here is fetch some needed logs for testing new dissectors and present this new tool to all Bluetooth developers here.
> And of course I very like new idea.
>
> New monitor sockets is not very important for now, I focus on decoding dump files (I do not have any real devices to live-capture testing).
> It is ok for future. By the way, this sounds like task for libpcap, not really Wireshark (by I am not familiar with internals yet)
Maybe it should be added to libpcap, but nevertheless it needs to be
done. It is the only way to get reliable data from the system these
days. The kernel is taking more and more control. And that becomes hard
to capture from userspace since it will be by definition too late.
> > which isn't possible with current wireshark or hcidump and context
> > discovery when tracing is started after there already exists
> > connections.
>
> > Considering these benefits monitor sockets compared to HCI ones is it
> > something you might be interested in implementing?
>
> Is that stable?
Yes, it is stable.
> Hmmm... Has anyone logs? :)
It is like HCI with an extra header. Look at hci_mon.h.
Regards
Marcel
Hi Johan,
> I think you must have misunderstood what I was trying to say. Did you
> actually look into what the monitor socket we talked about is? I wasn't
> trying to say wireshark shouldn't be used (so no point in iterating it's
> benefits - you've already convinced me) but that its Bluetooth decoding
> support be ported from traditional HCI sockets to use monitor sockets
> instead. This wouldn't give us any new decoders to wireshark but it
> would allow early HCI traffic decoding (e.g. on plugged in USB dongles)
Hmm... Do you mean something like:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5032
I will look at that and I this is on my TODO list. But please note that my first goal is add
full Bluetooth stack support to Wireshark (profiles and protocols). When this will be done I want to and other stuff like BToverUSB, etc.
The purpose of my visit here is fetch some needed logs for testing new dissectors and present this new tool to all Bluetooth developers here.
And of course I very like new idea.
New monitor sockets is not very important for now, I focus on decoding dump files (I do not have any real devices to live-capture testing).
It is ok for future. By the way, this sounds like task for libpcap, not really Wireshark (by I am not familiar with internals yet)
> which isn't possible with current wireshark or hcidump and context
> discovery when tracing is started after there already exists
> connections.
> Considering these benefits monitor sockets compared to HCI ones is it
> something you might be interested in implementing?
Is that stable?
Hmmm... Has anyone logs? :)
Regards / Pozdrawiam
-------------------------------------------------------------------------------------------------------------
Micha? ?ab?dzki
ASCII: Michal Labedzki
e-mail: [email protected]
location: Poland, Wroc?aw, Legnicka 55F
---
Tieto Corporation / Tieto Poland
http://www.tieto.com / http://www.tieto.pl
---
Tieto Poland sp??ka z ograniczon? odpowiedzialno?ci? z siedzib? w Szczecinie, ul. Malczewskiego 26. Zarejestrowana w S?dzie Rejonowym Szczecin-Centrum w Szczecinie, XIII Wydzia? Gospodarczy Krajowego Rejestru S?dowego pod numerem 0000124858. NIP: 8542085557. REGON: 812023656. Kapita? zak?adowy: 4 271500 PLN
Hi Michal,
On Wed, Oct 03, 2012, [email protected] wrote:
> > but it can't do any kind of high-level decoding (e.g. profiles).
> > It'd be interesting to know if it could be easily supported in
> > wireshark since right now there doesn't seem to be a viable way of
> > porting decoders from hcidump to btmon due to their very different
> > ways of handling buffers etc.
>
> Johan, I guess Wireshark support decoding what do you need (expect
> ongoing tasks). If you have another idea how do decoding, please share
> it. Power of Wireshark is:
I think you must have misunderstood what I was trying to say. Did you
actually look into what the monitor socket we talked about is? I wasn't
trying to say wireshark shouldn't be used (so no point in iterating it's
benefits - you've already convinced me) but that its Bluetooth decoding
support be ported from traditional HCI sockets to use monitor sockets
instead. This wouldn't give us any new decoders to wireshark but it
would allow early HCI traffic decoding (e.g. on plugged in USB dongles)
which isn't possible with current wireshark or hcidump and context
discovery when tracing is started after there already exists
connections.
Considering these benefits monitor sockets compared to HCI ones is it
something you might be interested in implementing?
Johan
Hello,
> HCI also does not have full support for AMP HCI commands. I can send that
> log.
All logs are welcome. Andrei, please send it.
> but it can't do any kind of
> high-level decoding (e.g. profiles). It'd be interesting to know if it
> could be easily supported in wireshark since right now there doesn't
> seem to be a viable way of porting decoders from hcidump to btmon due to
> their very different ways of handling buffers etc.
Johan, I guess Wireshark support decoding what do you need (expect ongoing tasks). If you have another idea how do decoding, please share it. Power of Wireshark is:
1. Decoding all fields in protocols (+ user friendly describes and visualization bit/byte position in the frame)
2. Colors per protocol/profile to improve readability;
3. Possibility to display specified field as column (like Protocol, Length, Info; for example I display btl2cap.cid, btrfcomm.channel) [by the way, I have configured Wireshark to display column "Time" as "Absolute date and time" and additional "Delta" as "Delta time" - nice combination to working on timings]
4. Filtering logs, in Filter field you can but "btavrcp" and you see only AVRCP; or something like "btbnep.bnep_type == 0x01 || bthci_evt" - so you can display only HCI Events and BNEP packet where BNEP Type is equal 0x01.
5. (Menu) Statistics -> IO Graph, then "Y Axis -> Unit -> Bytes per Tick" and using filters - you can analyse throughput (for example: OPP, A2DP)
6. pcap file format can contain "Comments" - so everyone can share some useful additional information (per frame)
Example logs:
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9186
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9187
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9139
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9111
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9112
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9023
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9024
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=9025
https://bugs.wireshark.org/bugzilla/attachment.cgi?id=7686
You can obtain Wireshark from SVN or GIT:
svn co http://anonsvn.wireshark.org/wireshark/trunk/ wireshark
git clone http://code.wireshark.org/git/wireshark (I use only this one, but please note sometimes this way may not working...)
Installation:
not required: ./autogen.sh && ./configure && make -j 16 && ./wireshark
Regards / Pozdrawiam
-------------------------------------------------------------------------------------------------------------
Micha? ?ab?dzki
ASCII: Michal Labedzki
e-mail: [email protected]
location: Poland, Wroc?aw, Legnicka 55F
---
Tieto Corporation / Tieto Poland
http://www.tieto.com / http://www.tieto.pl
---
Tieto Poland sp??ka z ograniczon? odpowiedzialno?ci? z siedzib? w Szczecinie, ul. Malczewskiego 26. Zarejestrowana w S?dzie Rejonowym Szczecin-Centrum w Szczecinie, XIII Wydzia? Gospodarczy Krajowego Rejestru S?dowego pod numerem 0000124858. NIP: 8542085557. REGON: 812023656. Kapita? zak?adowy: 4 271500 PLN