Sniffing with nRF sniffer

494 views
Skip to first unread message

Dheryta Jaisinghani

unread,
Sep 23, 2019, 2:11:02 PM9/23/19
to openthread-users
Hi

I am trying to sniff MAC layer traffic with nRF snifffer - nRF52840 DK.
I am unable to set a channel. The network is operating on Channel 15, but wireshark does not allow to provide any channels other than 37,38,39.
How to perform sniffing on the channel on which network is operating?

Regards
Dheryta

Jonathan Hui

unread,
Sep 23, 2019, 2:34:40 PM9/23/19
to Dheryta Jaisinghani, openthread-users
Have you taken a look at the Packet Sniffing guide on openthread.io?

--
Jonathan Hui


--
You received this message because you are subscribed to the Google Groups "openthread-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openthread-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openthread-users/7e7edaef-fd0e-492e-a22d-3aaadfc1428f%40googlegroups.com.

Dheryta Jaisinghani

unread,
Sep 23, 2019, 4:48:12 PM9/23/19
to Jonathan Hui, openthread-users
Hi Jonathan

I tried the links you sent. It is working and I am able to sniff the traffic.
However, for the data frames sent over 802.15.4 I do not see any headers - 6LoWPAN, other mesh headers, MAC headers, etc.
For MLE advertisement I could see - 6LOWPAN, MLE, IPv6, UDP, etc
Please help me understand.

Also, what is the difference between the approach you shared vs the one available here -

Thanks and Regards
Dheryta

Jonathan Hui

unread,
Sep 23, 2019, 4:56:31 PM9/23/19
to Dheryta Jaisinghani, openthread-users
Do the IEEE 802.15.4 Data frames have security enabled? If so, you likely need to configure Wireshark with the appropriate Thread master key.

The OpenThread sniffer is a platform-independent sniffer that supports any OpenThread-based device. The nRF Sniffer solutions are developed and supported by Nordic and specific to Nordic hardware.

--
Jonathan Hui

Martin Turon

unread,
Sep 23, 2019, 5:09:10 PM9/23/19
to Jonathan Hui, Dheryta Jaisinghani, openthread-users
Also worth pointing out is that https://infocenter.nordicsemi.com/pdf/nRF_Sniffer_UG_v2.2.pdf describes Nordic's Bluetooth Low Energy sniffer, which is why you may see channels 37,38,39, as they are the BLE advertising channels.  For OpenThread, you want to be sure you are using an 802.15.4 sniffer, which would only provide access to channels 11-26.
_____________________________
Martin Turon  |  Nest Labs


To view this discussion on the web visit https://groups.google.com/d/msgid/openthread-users/CAGwZUDuoAbTFvTGnwZHtY4da8docK5RfEv_TBx-h1JrBRvoB3g%40mail.gmail.com.

Dheryta Jaisinghani

unread,
Sep 24, 2019, 10:47:56 AM9/24/19
to Jonathan Hui, openthread-users
Hi Jonathan

Do the IEEE 802.15.4 Data frames have security enabled? If so, you likely need to configure Wireshark with the appropriate Thread master key. - Yes, I have configured Thread Network Key in the Wireshark.

Thanks and Regards
Dheryta

Dheryta Jaisinghani

unread,
Sep 24, 2019, 10:48:19 AM9/24/19
to mtu...@nestlabs.com, Jonathan Hui, openthread-users
Hi Martin

This was helpful. Thank you,

Thanks and Regards
Dheryta

Jonathan Hui

unread,
Sep 24, 2019, 4:41:18 PM9/24/19
to Dheryta Jaisinghani, openthread-users
If the IEEE 802.15.4 Data Frames are using short source address, then you may need to configure Static Addresses under "Preferences > Protocols > IEEE 802.15.4".

IEEE 802.15.4 frame security requires knowledge of the Extended Source address. Normally, wireshark can generate this mapping if it can infer the mapping from other packets. However, if no packet was sent from that device using the Extended Source address, then the mapping may need to be configured statically.

Hope that helps.

--
Jonathan Hui

Dheryta Jaisinghani

unread,
Sep 26, 2019, 12:04:42 PM9/26/19
to Jonathan Hui, openthread-users
Hi Jonathan

The data frames are using RLOC16 addresses.
If I try to configure Static Addresses, then I would need EUI64 that I believe can be obtained only when commissioning is ON.
I don't have that.

My experiment is very simple - I have 2 routers (R1 and R2) and 2 children (C1 and C2).
C1 is associated with R1 and C2 with R2.
R1 has iperf server running and R2 as the client.

For this data transfer session, I am trying to log the packets with sniffer.
I have attached sample pcap and snapshots.
You can see that if I ping ICMP packets has all the headers but for iperf data headers are missing.

Thanks and Regards
Dheryta

Data.png
ICMP.png
TestPCAP.pcapng

Jonathan Hui

unread,
Sep 26, 2019, 1:18:42 PM9/26/19
to Dheryta Jaisinghani, openthread-users
IEEE 802.15.4 MAC frame security uses the Extended Address, which is not the same as IEEE EUI-64.

You should be able to determine the mapping between Extended Address and Short Address from MLE messages. The Wireshark dissector will do this for you if such packets are present. If not, then you will need to setup static address mappings using Extended Address (not EUI-64).

--
Jonathan Hui

Rongli

unread,
Sep 26, 2019, 7:40:07 PM9/26/19
to openthread-users
Hi Dheryta,

The fragment you highlighted is a piece of a big packet, it seems that the following fragments of the packet to 0xd804 somehow are not sniffed.
The sniffer sniffs the whole big packet when it goes from 0xc005->0xc000 (pkt 1567), from 0xc000->0xd800 (pkt 1597), however some fragments from 0xd800->0xd805 (either not forwarded by 0xd800, or missed by sniffer) are not captured, thus failing to display the packet in wireshark.

To unsubscribe from this group and stop receiving emails from it, send an email to openthre...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages