Wireshark-users: Re: [Wireshark-users] Wireshark Bluetooth

From: "Paul Raine" <praine@xxxxxxxxxxxxxxxxx>
Date: Mon, 14 Jul 2014 16:24:48 -0500
>>Black, or blank?

>>If you're doing a live capture and "Update list of packets in real time"
is enabled, the main window will show (unless you've reconfigured Wireshark
to do something differently):

>>	the packet list, with the columns you mention;

>>	the packet detail pane;

>>	the hex dump pane;

>>and they should, if there are no packets, be white, not black.

>>If you're doing a live capture and "Update list of packets in real time"
is *not* enabled, the main window will show a grey area where the packet
panes are, and only when you stop the >>capture will Wireshark read in the
packets and display them.


Thanks for your email Guy,

Yes, I do have "Update list of packets in real time" enabled.
And I meant the main window is "Blank" not black. 

Attached is a screenshot showing the main window is blank even though the
number Bluetooth packets are increasing in "Capture Interfaces"
When I stop the capture the main window also stays blank.

Are there any other wireshark settings/rules that I need to be able to
display the packets from Bluetooth?
It works fine if I monitor eth0 or some other interface!

Regards,
PR


-----Original Message-----
From: Guy Harris [mailto:guy@xxxxxxxxxxxx] 
Sent: Monday, July 14, 2014 4:03 PM
To: Paul Raine
Cc: wireshark-users@xxxxxxxxxxxxx
Subject: Re: [Wireshark-users] Wireshark Bluetooth


On Jul 14, 2014, at 7:27 AM, Paul Raine <praine@xxxxxxxxxxxxxxxxx> wrote:

>> OK, so that version of libpcap (Libpcap-1.1.1-3.fc14.i686.rpm) supports
Bluetooth capturing with the BlueZ Bluetooth stack *if* it was configured to
include that support.
> 
> What is meant by "if it was configured to include that support."?

Libpcap is distributed by the developers (tcpdump.org) as a package of
source code.  Like a number of other open-source projects, that package
includes a "configure script" generated by autoconf, which

	1) attempts to figure out characteristics of the OS and OS version
on which you're trying to build and for which you're trying to build, and
arrange to make the build work there

and

	2) for some optional features, lets you configure them in or out.

Bluetooth sniffing is one of those features.  It's not currently available
on any OS other than Linux, so the configure script configures it out if the
OS for which libpcap is being built isn't Linux; it also configures it out
if it can't find a necessary "include file" for the code that does Bluetooth
capturing.

There's also a flag that can be passed to explicitly request it (which means
the configure script will fail if it can't be configured in) or explicitly
request its *absence* (which means that configure script won't configure it
in even if it could).

The Fedora people take the source, may make changes to it, and, in the
process of building a Fedora release, may run the configure script, or may
use some other mechanism when building it.

>From a quick look at the Fedora 14 source RPM for libpcap, they do make some
changes, but none that would affect the Bluetooth configuration, *and* the
spec file says it depends on bluez-libs-devel, so it appears that the
intention is to include Bluetooth sniffing support.

>  Is there something that I need to configure within Libpcap??

If there is, it'd have to be done by getting the source RPM, making sure it
doesn't configure with --disable-bluetooth, and building and installing
libpcap from it:

	http://www.rpm.org/max-rpm/s1-rpm-miscellania-srpms.html

But I'm not sure that's the problem.

>> Is that the "Capture Interfaces" dialog that pops up if you click
"Interface List" on the Wireshark welcome screen or select "Interfaces" from
the "Capture" menu?  If so, it's successfully capturing packets (the packet
counts it shows for the interfaces it shows, whether Bluetooth or not, are
counts of packets it captures and discards, as it's capturing them only to
count them).
>> 
>> What is the name of the Bluetooth interface on which you're capturing?
> 
> Yes I was referring to the "Capture Interfaces" dialog. The Bluetooth
Interface is called "bluetooth0 Bluetooth adapter number 0".

OK, so that means that Wireshark sees that interface and can open it and
capture on it, and therefore that libpcap *does* have Bluetooth support on
your system, so rebuilding libpcap is not necessary and will not make a
difference.

>> Or is it the main Wireshark window with the packet list, packet details,
and hex dump, and does "I get nothing in the capture window" mean that there
are no packets in the packet list?
> 
> There are no packets in the main Wireshark window. This is the one (on my
computer) that is labelled "Capturing from Bluetooth adapter number 0 -
Wireshark". (It has fields such as "No.", "Time", "Source", "Destination",
"Protocol" and has the Hex dump at the bottom. No packets are displayed and
this main Wireshark window remains black even though when Bluetooth data is
exchanged with my computer it increases the "bluetooth0 Bluetooth adapter
number 0" count in the "Capture Interfaces" dialog.

Black, or blank?

If you're doing a live capture and "Update list of packets in real time" is
enabled, the main window will show (unless you've reconfigured Wireshark to
do something differently):

	the packet list, with the columns you mention;

	the packet detail pane;

	the hex dump pane;

and they should, if there are no packets, be white, not black.

If you're doing a live capture and "Update list of packets in real time" is
*not* enabled, the main window will show a grey area where the packet panes
are, and only when you stop the capture will Wireshark read in the packets
and display them.

Attachment: Screenshot.png
Description: PNG image