https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16666
Bug ID: 16666
Summary: Bluetooth Advertising Extension packet falsely flagged
as malformed
Product: Wireshark
Version: Git
Hardware: x86
OS: Windows 10
Status: UNCONFIRMED
Severity: Major
Priority: Low
Component: Dissection engine (libwireshark)
Assignee: bugzilla-ad...@wireshark.org
Reporter: win...@gmail.com
Target Milestone: ---
Created attachment 17854
--> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=17854&action=edit
Bluetooth AE sample
Build Information:
Version 3.3.0-Mesh (v3.3.0rc0-1445-g38bda830d37b)
Copyright 1998-2020 Gerald Combs <ger...@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later
<https://www.gnu.org/licenses/gpl-2.0.html> This is free software; see the
source for copying conditions. There is NO warranty; not even for
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with Qt 5.15.0, with WinPcap SDK (WpdPack) 4.1.2, with GLib
2.52.3, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.15.0, with Lua 5.2.4,
with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos,
with MaxMind DB resolver, with nghttp2 1.39.2, with brotli, with LZ4, with
Zstandard, with Snappy, with libxml2 2.9.9, with QtMultimedia, with automatic
updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled
resampler).
Running on 64-bit Windows 10 (2004), build 19041, with Intel(R) Core(TM)
i7-7500U CPU @ 2.70GHz (with SSE4.2), with 16243 MB of physical memory, with
locale English_United Kingdom.utf8, with light display mode, with HiDPI, with
Npcap version 0.9991, based on libpcap version 1.9.1, with GnuTLS 3.6.3, with
Gcrypt 1.8.3, with brotli 1.0.2, with AirPcap 4.1.0 build 1622, binary plugins
supported (20 loaded). Built using Microsoft Visual Studio 2019 (VC++ 14.26,
build 28806).
--
See attached file.
This is a Bluetooth LE 5.0 scan from sniffer:
https://github.com/nccgroup/Sniffle
using CC1352R board. The advertiser was S10E mobile phone with nRF Connect app.
The S10E supports AUX_CHAIN_IND while used sniffer probably not - the expected
AUX_CHAIN_IND is not in the capture file.
I believe that Wireshark dissector is falsely flagging frames 2,4,6,8 as
malformed based upon fact that AD structure in the packet is trimmed. The not
present AUX_CHAIN_IND should contain the rest of the missing octets since
AdvData may be fragmented.
Anyway, the ADV_EXT_IND (for some reasons named AUX_COMMON <<PDU type equal
7>>) is valid since it is filling all available octets of Link Layer packet and
there is a Aux Pointer defined.
Refer to:
2.3.4.9 Host Advertising Data, 2.3.4.9 Host Advertising Data, page 2891.
The Bluetooth Advertising Extension dissector primary author is Joakim
Andersson.
--
You are receiving this mail because:
You are watching all bug changes.___________________________________________________________________________
Sent via: Wireshark-bugs mailing list <wireshark-bugs@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-requ...@wireshark.org?subject=unsubscribe
