tsharkによるBLEパケットのキャプチャ

今までBLEパケットをキャプチャするために、hcidumpを使っていました（hcidump / gatttoolによるBluetooth packetおよびSensorTagの解析）。今回は、Wiresharkに付属するコマンドライン版のパケットキャプチャソフト「tshark」をRaspberry Pi 3にインストールし、Raspbery Pi 3に標準でインストールされているBluethoothのBluetooth Low Energy（BLE）パケットをキャプチャします。

Raspberry Pi 3へのtsharkのインストール

次のコマンドでtsharkをインストールします。

$ sudo apt-get install tshark

次のコマンドで、正常にtsharkがインストールされたかを確認します。

$ tshark -v
TShark 1.12.1 (Git Rev Unknown from unknown)
Copyright 1998-2014 Gerald Combs  and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (32-bit) with GLib 2.42.1, with libpcap, with libz 1.2.8, with POSIX
capabilities (Linux), with libnl 3, with SMI 0.4.8, with c-ares 1.10.0, with Lua
5.2, without Python, with GnuTLS 3.3.8, with Gcrypt 1.6.3, with MIT Kerberos,
with GeoIP.
Running on Linux 4.1.19-v7+, with locale en_GB.UTF-8, with libpcap version
1.6.2, with libz 1.2.8.
Built using gcc 4.9.2.

tsharkの使用方法

Raspberry Pi 3に標準でインストールされているBluethoothのBLEパケットをtsharkでキャプチャします。キャプチャするBLEパケットは、Raspberry Pi 3によるBLEのスキャンとし、SensorTagの側面のスイッチを押してアドバタイズします。次のhcitool コマンドを使用します。

$ sudo hcitool lescan
LE Scan …
B4:99:4C:64:CD:DF (unknown)
B4:99:4C:64:CD:DF SensorTag
B4:99:4C:64:CD:DF (unknown)
B4:99:4C:64:CD:DF SensorTag
B4:99:4C:64:CD:DF (unknown)

Raspbery Pi 3のBluethoothのインタフェース番号

次のコマンドで、Bluethoothのインタフェース番号を調べます。Bluethoothは、「5. bluetooth0」になっています。

$ sudo tshark -D
tshark: Lua: Error during loading:
 [string “/usr/share/wireshark/init.lua”]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
1. wlan0
2. any
3. lo (Loopback)
4. eth0
5. bluetooth0
6. nflog
7. nfqueue
8. usbmon1

tsharkによるBLEスキャンパケットのキャプチャ

次のコマンドでtsharkを起動します。次のようにBLEパケットのログが表示されるます。

$ tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'bluetooth0'
sudo hcitool lescan
LE Scan ...
  1   0.000000         host -> controller   HCI_CMD 11 Sent LE Set Scan Parameters
  2   0.000683   controller -> host         HCI_EVT 7 Rcvd Command Complete (LE Set Scan Parameters)
  3   0.000824         host -> controller   HCI_CMD 6 Sent LE Set Scan Enable
  4   0.001285   controller -> host         HCI_EVT 7 Rcvd Command Complete (LE Set Scan Enable)
B4:99:4C:64:CD:DF (unknown)
  5   5.800608   controller -> host         HCI_EVT 18 Rcvd LE Meta (LE Advertising Report)
B4:99:4C:64:CD:DF SensorTag
  6   6.632575   controller -> host         HCI_EVT 35 Rcvd LE Meta (LE Advertising Report)

tsharkによるBLEパケットの詳細情報の表示

上記の場合だと、詳細の情報が表示されていないので、パケットの解析が難しくなる。このため次のように「V」オプションを指定する。

$ sudo tshark -i 5 -V &
[3] 1132
pi@raspberrypi:~ $ tshark: Lua: Error during loading:
 [string "/usr/share/wireshark/init.lua"]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user "root" and group "root". This could be dangerous.
Capturing on 'bluetooth0'

pi@raspberrypi:~ $ sudo hcitool lescan
LE Scan ...
B4:99:4C:64:CD:DF (unknown)
B4:99:4C:64:CD:DF SensorTag
Frame 1: 11 bytes on wire (88 bits), 11 bytes captured (88 bits) on interface 0
    Interface id: 0 (bluetooth0)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jun 25, 2016 09:36:19.475052000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1466847379.475052000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 11 bytes (88 bits)
    Capture Length: 11 bytes (88 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: hci_h4:bthci_cmd]
    Point-to-Point Direction: Sent (0)
Bluetooth HCI H4
    [Direction: Sent (0x00)]
    HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - LE Set Scan Parameters
    Command Opcode: LE Set Scan Parameters (0x200b)
        0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x0008)
        .... ..00 0000 1011 = Opcode Command Field: LE Set Scan Parameters (0x000b)
    Parameter Total Length: 7
    Scan Type: Active (0x01)
    Scan Interval: 16 (10 msec)
    Scan Window: 16 (10 msec)
    Own Address Type: Public Device Address (0x00)
    Scan Filter Policy: Accept all advertisments. Ignore directed advertisements not addresed to this device (0x00)

Frame 2: 7 bytes on wire (56 bits), 7 bytes captured (56 bits) on interface 0
    Interface id: 0 (bluetooth0)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jun 25, 2016 09:36:19.475591000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1466847379.475591000 seconds
    [Time delta from previous captured frame: 0.000539000 seconds]
    [Time delta from previous displayed frame: 0.000539000 seconds]
    [Time since reference or first frame: 0.000539000 seconds]
    Frame Number: 2
    Frame Length: 7 bytes (56 bits)
    Capture Length: 7 bytes (56 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: hci_h4:bthci_evt]
    Point-to-Point Direction: Received (1)
Bluetooth HCI H4
    [Direction: Rcvd (0x01)]
    HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
    Event Code: Command Complete (0x0e)
    Parameter Total Length: 4
    Number of Allowed Command Packets: 1
    Command Opcode: LE Set Scan Parameters (0x200b)
        0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x0008)
        .... ..00 0000 1011 = Opcode Command Field: LE Set Scan Parameters (0x000b)
    Status: Success (0x00)

Frame 3: 6 bytes on wire (48 bits), 6 bytes captured (48 bits) on interface 0
    Interface id: 0 (bluetooth0)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jun 25, 2016 09:36:19.475682000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1466847379.475682000 seconds
    [Time delta from previous captured frame: 0.000091000 seconds]
    [Time delta from previous displayed frame: 0.000091000 seconds]
    [Time since reference or first frame: 0.000630000 seconds]
    Frame Number: 3
    Frame Length: 6 bytes (48 bits)
    Capture Length: 6 bytes (48 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: hci_h4:bthci_cmd]
    Point-to-Point Direction: Sent (0)
Bluetooth HCI H4
    [Direction: Sent (0x00)]
    HCI Packet Type: HCI Command (0x01)
Bluetooth HCI Command - LE Set Scan Enable
    Command Opcode: LE Set Scan Enable (0x200c)
        0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x0008)
        .... ..00 0000 1100 = Opcode Command Field: LE Set Scan Enable (0x000c)
    Parameter Total Length: 2
    Scan Enable: true (0x01)
    Filter Dublicates: true (0x01)

Frame 4: 7 bytes on wire (56 bits), 7 bytes captured (56 bits) on interface 0
    Interface id: 0 (bluetooth0)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jun 25, 2016 09:36:19.476162000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1466847379.476162000 seconds
    [Time delta from previous captured frame: 0.000480000 seconds]
    [Time delta from previous displayed frame: 0.000480000 seconds]
    [Time since reference or first frame: 0.001110000 seconds]
    Frame Number: 4
    Frame Length: 7 bytes (56 bits)
    Capture Length: 7 bytes (56 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: hci_h4:bthci_evt]
    Point-to-Point Direction: Received (1)
Bluetooth HCI H4
    [Direction: Rcvd (0x01)]
    HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - Command Complete
    Event Code: Command Complete (0x0e)
    Parameter Total Length: 4
    Number of Allowed Command Packets: 1
    Command Opcode: LE Set Scan Enable (0x200c)
        0010 00.. .... .... = Opcode Group Field: LE Controller Commands (0x0008)
        .... ..00 0000 1100 = Opcode Command Field: LE Set Scan Enable (0x000c)
    Status: Success (0x00)

Frame 5: 18 bytes on wire (144 bits), 18 bytes captured (144 bits) on interface 0
    Interface id: 0 (bluetooth0)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jun 25, 2016 09:36:19.516716000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1466847379.516716000 seconds
    [Time delta from previous captured frame: 0.040554000 seconds]
    [Time delta from previous displayed frame: 0.040554000 seconds]
    [Time since reference or first frame: 0.041664000 seconds]
    Frame Number: 5
    Frame Length: 18 bytes (144 bits)
    Capture Length: 18 bytes (144 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: hci_h4:bthci_evt:btcommon]
    Point-to-Point Direction: Received (1)
Bluetooth HCI H4
    [Direction: Rcvd (0x01)]
    HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - LE Meta
    Event Code: LE Meta (0x3e)
    Parameter Total Length: 15
    Sub Event: LE Advertising Report (0x02)
    Num Reports: 1
    Event Type: Connectable Unidirected Advertising (0x00)
    Peer Address Type: Public Device Address (0x00)
    BD_ADDR: TexasIns_64:cd:df (b4:99:4c:64:cd:df)
    Data Length: 3
    Advertising Data
        Flags
            Length: 2
            Type: Flags (0x01)
            000. .... = Reserved: 0x00
            ...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x00)
            .... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x00)
            .... .1.. = BR/EDR Not Supported: true (0x01)
            .... ..0. = LE General Discoverable Mode: false (0x00)
            .... ...1 = LE Limited Discoverable Mode: true (0x01)
    RSSI (dB): -56

Frame 6: 35 bytes on wire (280 bits), 35 bytes captured (280 bits) on interface 0
    Interface id: 0 (bluetooth0)
    Encapsulation type: Bluetooth H4 with linux header (99)
    Arrival Time: Jun 25, 2016 09:36:19.623836000 UTC
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1466847379.623836000 seconds
    [Time delta from previous captured frame: 0.107120000 seconds]
    [Time delta from previous displayed frame: 0.107120000 seconds]
    [Time since reference or first frame: 0.148784000 seconds]
    Frame Number: 6
    Frame Length: 35 bytes (280 bits)
    Capture Length: 35 bytes (280 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: hci_h4:bthci_evt:btcommon]
    Point-to-Point Direction: Received (1)
Bluetooth HCI H4
    [Direction: Rcvd (0x01)]
    HCI Packet Type: HCI Event (0x04)
Bluetooth HCI Event - LE Meta
    Event Code: LE Meta (0x3e)
    Parameter Total Length: 32
    Sub Event: LE Advertising Report (0x02)
    Num Reports: 1
    Event Type: Scan Response (0x04)
    Peer Address Type: Public Device Address (0x00)
    BD_ADDR: TexasIns_64:cd:df (b4:99:4c:64:cd:df)
    Data Length: 20
    Advertising Data
        Device Name: SensorTag
            Length: 10
            Type: Device Name (0x09)
            Device Name: SensorTag
        Slave Connection Interval Range: 100 - 1000 msec
            Length: 5
            Type: Slave Connection Interval Range (0x12)
        Connection Interval Min: 80 (100 msec)
        Connection Interval Max: 800 (1000 msec)
        Tx Power Level
            Length: 2
            Type: Tx Power Level (0x0a)
            Power Level (dBm): 0
    RSSI (dB): -74

tsharkによるBLEパケットのhex＋ACSIIダンプ表示

ログを表示するときに、BLEパケットのhex＋ACSIIダンプで表示する場合、オブション「-x」をコマンドに追加します。取得したBLEパケットの表示が次に示します。通常の機能的な名称のログ表示の後にhex＋ACSIIダンプ表示が行われます

tsharkで収集したBLEパケットの保存

tsharkで収集したBLEパケットは、次のコマンドで、ログデータとして保存できます。

-w <ログファイル名>

保存したログデータは、Windows版Wiresharkで読み込ませると、次のようにWindows上で解析結果を閲覧できます。

上記のログデータは次のコマンドで収集しています。

# sudo tshark -i 5 -x -V -w log

tsharkによるキャプチャの注意：
基本的にtsharkによるキャプチャはroot権限で行ってください。ユーザの権限で行うと次のメッセージが表示され、tsharkは実行できません

$ sudo tshark -i 5 -x -V -w log
tshark: Lua: Error during loading:
 [string “/usr/share/wireshark/init.lua”]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user “root” and group “root”. This could be dangerous.
Capturing on ‘nflog’
tshark: The file to which the capture would be saved (“log”) could not be opened: Is a directory.
0 packets captured
$

root権限に切り替えてtsharkを実行すると、次のように表示され、正常にパケットがキャプチャできます。

$ su –
Password:
SSH is enabled and the default password for the ‘pi’ user has not been changed.
This is a security risk – please login as the ‘pi’ user and type ‘passwd’ to set a new password.
root@raspberrypi:~# sudo tshark -i 5 -x -V -w log
tshark: Lua: Error during loading:
 [string “/usr/share/wireshark/init.lua”]:46: dofile has been disabled due to running Wireshark as superuser. See http://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user.
Running as user “root” and group “root”. This could be dangerous.
Capturing on ‘nflog’
^C0 packets captured
#