This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I'm quite a beginner to Wireshark and got problem using it, I searched the wiki page but seems no promising results. Hopefully I can get some help here.

I am trying to analyze the network traffic between LG smart watch and Android phone, which all go through bluetooth channel. Now I have got the network traffic log file and I can view it by running

> wireshark "LogFileName"

Problem is how can I retrieve infomation by removing the bluetooth header and get the original network layer packet, because I can parse the IP layer packet but bluetooth packet is not what I want and what I understand.

asked 21 Sep '15, 13:02

xl45's gravatar image

xl45
1112
accept rate: 0%

Can you share the Wireshark "log" file? Otherwise it's hard to tell what's wrong with that capture file.

(21 Sep '15, 13:18) Kurt Knochner ♦
(21 Sep '15, 16:10) xl45

actually bluetooth just remove the ethernet header and add its own header with the remaining payload unchanged. but still i have no idea how to do the extraction.

(21 Sep '15, 16:18) xl45

no one knows?

(22 Sep '15, 09:32) xl45

I don't see any IP traffic "encapsulated in Bluetooth" in that capture file.

I am trying to analyze the network traffic between LG smart watch and Android phone

Why do you think this is an IP communication?

(22 Sep '15, 09:48) Kurt Knochner ♦

thanks for answering, well actually i may misunderstand this by thinking that bluetooth just remove ethernet header upon the regular TCP/IP packet and add its own header. but still i have no idea what to do if i want to retrieve data from the packet. @Kurt Knochner

(22 Sep '15, 10:14) xl45
showing 5 of 6 show 1 more comments

but still i have no idea what to do if i want to retrieve data from the packet.

it depends on the content you are interested in. If I look at the payload of large RFCOMM frames, I can see payload that's seems to be related to smart watch communication.

So, first you probably need to develop a better understanding of what your are actually looking for, then you can either extract that information manually via the Wireshark GUI (RFCOMM frames), or by using tshark. If you are looking for TCP/IP commuincation between the devices, I don't think there is any in that capture file.

Regards
Kurt

permanent link

answered 22 Sep '15, 10:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 22 Sep '15, 11:00

The RFCOMM service has UUID128: 5e8945b0-9525-11e3-a5e2-0800200c9a66 and name: WearableBt, so I hope it is Android Wear (I hear you can use androiddump in latest Wireshark to live-capturing). As I remember Wear require closed-sources application from Google on Android to make it works (this one: https://play.google.com/store/apps/details?id=com.google.android.wearable.app&hl=en ), so there is no any documentation about protocol used by Google to communicate with Wear (implies no easy support for that in Wireshark). If anyone found some documentation about it, please share with me.

For now... Only Google know how to read Wear payload (over RFCOMM). I think I can see some structures, but it is (not!) reverse engineering.

permanent link

answered 24 Sep '15, 14:00

Micha%C5%82%20%C5%81ab%C4%99dzki's gravatar image

Michał Łabędzki
411
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×100
×27
×8

question asked: 21 Sep '15, 13:02

question was seen: 4,122 times

last updated: 24 Sep '15, 14:00

p​o​w​e​r​e​d by O​S​Q​A