Analyzing Bluetooth In this exercise you will learn to analyze Bluetooth communication using different profiles. We use a Frontline Bluetooth Analyzer.

(1)

Analyzing Bluetooth

In this exercise you will learn to analyze Bluetooth communication using different profiles. We use a Frontline Bluetooth Analyzer.

Part I - Bluetooth Analyses Examples

Protocol Overview

Baseband LMP L2CAP SDP RFCOMM OBEX OPP LAN DUN BNEP

(2)

PROTOCOL OVERVIEW

This is an overview of the current Bluetooth protocol stacks. It is impossible to explain them all in this course. But we will take the mostly used stacks in computer environment for a detailed analysis.

In the Bluetooth analyzer exercise we will make practical analyzing with OPP, FTP LAN and DUN profiles. We can show you the BNEP analyses only theoretical.

Here we have a list of the abbreviations used in the diagram above.

GAP - GENERIC ACCESS PROFILE SDAP - SERVICE DISCOVERY APPLICATION PROFILE

CPP - CORDLESS TELEPHONY PROFILE INTERCOM PROFILE

SPP - SERIAL PORT PROFILE HS - HEADSET PROFILE

DUN - DIAL-UP NETWORKING PROFILE FAX - FAX PROFILE

LAN - LAN ACCESS PROFILE

GOEP - GENERIC OBJECT EXCHANGE PROFILE

OPP - OBJECT PUSH PROFILE FTP - FILE TRANSFER PROFILE

SYNC - SYNCHRONIZATION PROFILE

HCR - HARDCOPY CABLE REPLACEMENT PROFILE

HID - HUMAN INTERFACE DEVICE PROFILE

CIP - COMMON ISDN ACCESS PROFILE

PAN - PERSONAL AREA NETWORKING PROFILE HF - HANDS-FREE PROFILE SIM - SIM ACCESS PROFILE AVRCP - AUDIO/VIDEO REMOTE CONTROL PROFILE

AUDIO/VIDEO DISTRIBUTION PROFILE

BPP - BASIC PRINTING PROFILE BIP - BASIC IMAGING PROFILE

L 2 CAP

RFCOMM G

A P

SD

BN TC

C I P

I S D N

S D A P

G O E P

H S D

U N

L A N O

P P S Y N C P

A N

C P P F

A X

S P P

OBEX H

C R

F T P

IrMC P

r i n t i n g

B I P

S I M

A V R E M O T E C T R L

BASEBAND

H A N D S F RE

LMP

P P AT CMD's P

(3)

BASEBAND

The following picture shows a screenshot from the Bluetooth analyzer displaying Baseband information.

A new clock (CLK) value is calculated for each packet.

The clock value defines the used RF channel (Chan) for each packet.

The Role column shows whether the packet was send from the master or from a Slave.

The AM… column shows the used Active Member Address. A Piconet can have up to 7 AM.

The Type column shows the used framing for that package. Bluetooth knows 10 types (NULL, POLL, FHS, DM1, DM3, DM5, DH1, DH3,DH5, AUX).

The Information for Logical Link ID (LLID) and Logical Link Flow (Flow) is not available in these frames.

???The SEQN column shows the current sequence numbering for each frame who carries data

???The ARQN column shows the current Acknowledgement numbering for each data frame.

You can recognize the slave has to respond each time it is polled by the master.

The following shows the four frames printed in detail.

--- Frame 1 (Master)--- Length: 8 --- Errors: 0 --- Time: 08.08.2004 19:48:40.7625 --

Physical Frame: 13 4c 5d fe 02 81 01 00

Baseband:

Role: Master Channel: 19 - 2421 MHz Clock: 0x02fe5d4c

(4)

Packet Status: OK FLOW: N/A [1]

TYPE: NULL AM_ADDR: 1

L2CAP Flow: N/A [0]

Logical Link ID: N/A [0]

SEQN: 0 ARQN: 1

Payload Length: 0

--- Frame 2 (Slave)--- Length: 8 --- Errors: 0 --- Time: 08.08.2004 19:48:40.7631 ---

Physical Frame: 22 4e 5d fe 02 81 00 00

Baseband:

Role: Slave

Channel: 34 - 2436 MHz Clock: 0x02fe5d4e

L2CAP Flow: N/A [0]

SEQN: 0 ARQN: 0

Payload Length: 0

--- Frame 3 (Master)--- Length: 8 --- Errors: 0 --- Time: 08.08.2004 19:48:43.3375

Physical Frame: 29 7c 7d fe 02 89 01 00

Baseband:

Role: Master Channel: 41 - 2443 MHz Clock: 0x02fe7d7c

TYPE: POLL AM_ADDR: 1

L2CAP Flow: N/A [0]

SEQN: 0 ARQN: 1

Payload Length: 0

--- Frame 4 (Slave)--- Length: 8 --- Errors: 0 --- Time: 08.08.2004 19:48:43.3381 ---

Physical Frame: 1c 7e 7d fe 02 81 00 00

Baseband:

Role: Slave

Channel: 28 - 2430 MHz Clock: 0x02fe7d7e

L2CAP Flow: N/A [0]

(5)

SEQN: 0 ARQN: 0

Payload Length: 0

LMP

The following picture shows a screenshot from the Bluetooth analyzer displaying LMP information.

The Link Management Protocol (LMP) is used to exchange device information between the Bluetooth to run successfully a Piconet. Devices are attached or detached from a Piconet, Links are established or closed and controllers are putted to Low-Power mode using this protocol.

The Opcode column shows the transaction occurred between the both link partners.

THE FOLLOWING SHOWS AN EXAMPLE OF A MASTER INITIATED CONNECTION SETUP

M A S T E R S L A V E

LMP,Master,1,version_req,master,

LMP,Slave,1,version_res,master, LMP,Master,1,features_req,master,

LMP,Slave,1,features_res,master, LMP,Master,1,host_connection_req,master,

LMP,Slave,1,accepted,master,host_connection_req

LMP,Slave,1,setup_complete,slave, LMP,Master,1,setup_complete,master,

LMP,Master,1,auto_rate,master,

LMP,Slave,1,auto_rate,slave,

LMP,Slave,1,page_scan_mode_req,slave,

(6)

LMP,Master,1,max_slot,master,

LMP,Slave,1,max_slot,slave,

LMP,Slave,1,timing_accuracy_req,slave, LMP,Master,1,clkoffset_req,master,

LMP,Master,1,accepted,slave,page_scan_mode_req LMP,Master,1,timing_accuracy_res,slave,

LMP,Slave,1,clkoffset_res,master, LMP,Master,1,supervision_timeout,master,

LMP,Master,1,name_req,master,

LMP,Slave,1,name_res,master, LMP,Master,1,name_req,master,

LMP,Slave,1,name_res,master, LMP,Slave,1,name_req,slave, LMP,Master,1,name_res,slave,

LMP,Master,1,name_req,master,

LMP,Slave,1,name_res,master, LMP,Master,1,name_req,master,

LMP,Slave,1,name_res,master, LMP,Master,1,preferred_rate,master,

LMP,Slave,1,preferred_rate,slave, LMP,Master,1,detach,master,

DETAILLED FRAME LISTINGS

--- Frame 1 (Slave)--- Length: 14 --- Errors: 0 --- Time: 10.08.2004 16:43:48.0592

LMP:

Role: Slave Address: 1

Opcode: LMP_version_res

Transaction ID: Initiated by master VersNr: Bluetooth LMP 1.1

CompId: Cambridge Silicon Radio SubVersNr: 525

---Frame 2 (Master)--- Length: 17 --- Errors: 0 --- Time: 10.08.2004 16:43:48.0635

LMP:

Role: Master Address: 1

Opcode: LMP_features_req

Transaction ID: Initiated by master Sniff mode: Supported

Hold mode: Supported Role switch: Supported Timing accuracy: Supported Slot offset: Supported Encryption: Supported

5-slot packets: Supported 3-slot packets: Supported

A-law log synchronous data: Supported u-law log synchronous data: Supported HV3 packets: Supported

HV2 packets: Supported SCO link: Supported

Channel quality data rate: Supported Power control requests: Supported Park state: Supported

Broadcast encryption: No

(7)

Flow Control Lag: 0

Transparent SCO data: Supported Power control: Supported

Paging parameter negotiation: Supported CVSD synchronous data: Supported

Extended SCO capability EV3 packets: No RSSI with Inquiry Results: No

Interlaced Page Scan: No Interlaced Inquiry Scan: No Enhanced Inquiry Scan: No Scatter mode: No

Anonymity Mode: No

Alias Authentication: No AFH classification: No AFH capability: No Absence Masks: No EV5 packets: No EV4 packets: No

AFH classification master: No AFH capable master: No

Extended features: No

LMP:

Opcode: LMP_features_res

Transaction ID: Initiated by master Sniff mode: Supported

Hold mode: Supported Role switch: Supported Timing accuracy: Supported Slot offset: Supported Encryption: Supported

5-slot packets: Supported 3-slot packets: Supported

A-law log synchronous data: Supported u-law log synchronous data: Supported HV3 packets: Supported

HV2 packets: Supported SCO link: Supported

Channel quality data rate: Supported Power control requests: Supported Park state: Supported

Broadcast encryption: No Flow Control Lag: 0

Transparent SCO data: Supported Power control: Supported

Paging parameter negotiation: Supported CVSD synchronous data: Supported

Extended SCO capability EV3 packets: No RSSI with Inquiry Results: No

Interlaced Page Scan: No Interlaced Inquiry Scan: No Enhanced Inquiry Scan: No Scatter mode: No

Anonymity Mode: No

Alias Authentication: No AFH classification: No AFH capability: No Absence Masks: No EV5 packets: No

(8)

EV4 packets: No

AFH classification master: No AFH capable master: No

Extended features: No

--- Frame 4 (Master)--- Length: 9 --- Errors: 0 --- Time: 10.08.2004 16:43:48.0960

LMP:

Opcode: LMP_host_connection_req Transaction ID: Initiated by master

LMP:

Opcode: LMP_accepted

Transaction ID: Initiated by master Original Opcode: LMP_host_connection_req

LMP:

Opcode: LMP_setup_complete Transaction ID: Initiated by slave

LMP:

Opcode: LMP_setup_complete Transaction ID: Initiated by master

LMP:

Opcode: LMP_auto_rate

Transaction ID: Initiated by master

LMP:

Opcode: LMP_auto_rate

Transaction ID: Initiated by slave

---Frame 10 (Slave)--- Length: 11 --- Errors: 0 --- Time: 10.08.2004 16:43:48.1404

LMP:

Opcode: LMP_page_scan_mode_req Transaction ID: Initiated by slave Paging Scheme: mandatory scheme Paging Scheme Settings: R1

(9)

--- Frame 11 (Master)--- Length: 10 --- Errors: 0 --- Time: 10.08.2004 16:43:48.1410 ---

--- LMP:

Opcode: LMP_max_slot

Transaction ID: Initiated by master Max Slots: 0x05 slots

--- Frame 12 (Slave)--- Length: 10 --- Errors: 0 --- Time: 10.08.2004 16:43:48.1417 ---

--- LMP:

Opcode: LMP_max_slot

Transaction ID: Initiated by slave Max Slots: 0x05 slots

--- LMP:

Opcode: LMP_timing_accuracy_req Transaction ID: Initiated by slave

--- LMP:

Opcode: LMP_clkoffset_req Transaction ID: Initiated by master

--- LMP:

Opcode: LMP_accepted

Transaction ID: Initiated by slave Original Opcode: LMP_page_scan_mode_req

(10)

--- LMP:

Opcode: LMP_timing_accuracy_res Transaction ID: Initiated by slave Drift: 250 ppm

Jitter: 10 us

--- LMP:

Opcode: LMP_clkoffset_res Transaction ID: Initiated by master Clock Offset: 3772 (1.25ms)

--- LMP:

Opcode: LMP_supervision_timeout Transaction ID: Initiated by master Supervision Timeout: 0x7d00 slots

--- LMP:

Opcode: LMP_name_req

Transaction ID: Initiated by master Name Offset: 0 bytes

--- LMP:

Opcode: LMP_name_res

Name Length: 19 bytes

Name Fragment: VHB12-Test-Com

(11)

--- LMP:

Name Fragment: puter

--- LMP:

Transaction ID: Initiated by slave Name Offset: 0 bytes

--- LMP:

Transaction ID: Initiated by slave Name Offset: 0 bytes

Name Fragment: VHB22

---

(12)

---

(13)

---

(14)

---

--- LMP:

Name Fragment: VHB12-Test-Com

--- LMP:

---

(15)

LMP:

Name Fragment: puter

---

(16)

---

--- LMP:

Opcode: LMP_preferred_rate Transaction ID: Initiated by master Packet Size: Size is unavailable FEC: do not use FEC

---

--- LMP:

Role: Slave

(17)

Address: 1

Opcode: LMP_preferred_rate Transaction ID: Initiated by slave Packet Size: Size is unavailable FEC: do not use FEC

---

--- LMP:

Opcode: LMP_detach

Transaction ID: Initiated by master

Reason: Other End Terminated Connection: User Ended Connection

L2CAP

The following picture shows a screenshot from the Bluetooth analyzer displaying L2CAP

information.

(18)

??? Frame 42 shows that a L2CAP connection should be established for a RFCOMM session. The Channel ID is defined. All frames that follow up this link will have the same Channel ID.

THE FOLLOWING LISTING SHOWS HOW A LINK IS ESTABLISHED AND DISCONNECTED.

Frame 42 L2CAP,Master,1,0x0001,RFCOMM,4,Connection request,0x0062,,4,,,,,,,,

Frame 43 L2CAP,Slave,1,0x0001,,4,Connection response,0x0062,0x0045,8,,,,,,,,

Frame 44 L2CAP,Slave,1,0x0001,,2,Configure request,,0x0062,8,,,,,,,, Frame 45 L2CAP,Master,1,0x0001,,5,Configure request,,0x0045,8,,,,,,,, Frame 46 L2CAP,Master,1,0x0001,,2,Configure response,0x0045,,6,,,,,,,, Frame 47 L2CAP,Slave,1,0x0001,,5,Configure response,0x0062,,6,,,,,,,, Frame 48 L2CAP,Master,1,0x0045,,,,,,4,,,,,,,,

Frame 77 L2CAP,Master,1,0x0001,,6,Disconnection request,0x0062,0x0045,4,,,,,,,,

Frame 78 L2CAP,Slave,1,0x0001,,6,Disconnection response,0x0062,0x0045,4,,,,,,,,

(19)

THE FOLLOWING SHOWS DETAILED LISTING OF THE FRAMES FROM ABOVE.

Frame 42 (Master)--- Length: 20 --- Errors: 0 --- Time: 10.08.2004 16:43:48.5848

L2CAP:

PDU Length: 8 Channel ID: 0x0001

Code: Connection request Identifier: 4

Command Length: 4

Protocol/Service Multiplexer: RFCOMM Source Channel ID: 0x0062

Frame 43 (Slave)--- Length: 24 --- Errors: 0 --- Time: 10.08.2004 16:43:48.6079 -

L2CAP:

Code: Connection response Identifier: 4

Command Length: 8

Destination Channel ID: 0x0045 Source Channel ID: 0x0062 Result: Connection successful Undefined Status: 0x 00 00

L2CAP:

PDU Length: 12 Channel ID: 0x0001 Code: Configure request Identifier: 2

Command Length: 8

Destination Channel ID: 0x0062 C Flag: Last Configuration Request Option: MAXIMUM TRANSMISSION UNIT (MTU)

Length: 2

Value: 1691

L2CAP:

PDU Length: 12 Channel ID: 0x0001 Code: Configure request Identifier: 5

Command Length: 8

Destination Channel ID: 0x0045 C Flag: Last Configuration Request Option: MAXIMUM TRANSMISSION UNIT (MTU)

Length: 2

(20)

Value: 1691

L2CAP:

Code: Configure response Identifier: 2

Command Length: 6

Source Channel ID: 0x0045

C Flag: Last Configuration Request Results: Success

L2CAP:

Code: Configure response Identifier: 5

Command Length: 6

Source Channel ID: 0x0062

C Flag: Last Configuration Request Results: Success

L2CAP:

Code: Disconnection request Identifier: 6

Command Length: 4

Destination Channel ID: 0x0045 Source Channel ID: 0x0062

L2CAP:

Code: Disconnection response Identifier: 6

Command Length: 4

Destination Channel ID: 0x0045 Source Channel ID: 0x0062

(21)

SDP

The following picture shows a screenshot from the Bluetooth analyzer displaying SDP information.

THE FOLLOWING LISTING SHOWS HOW ONE DEVICE REQUESTED INFORMATION ABOUT THE OBEX SERVICE. THE MEASUREMENT WAS DONE DURING AN OPP.

Frame 32 SDP,Master,1,0x0000,Search Request,8,OBEXPush

Frame 34 SDP,Slave,1,0x0000,Search Response,9,0x 00 01 00 01 Frame 35 SDP,Master,1,0x0001,Attribute Request,14,0x 00 01 00 01 Frame 39 SDP,Slave,1,0x0001,Attribute Response,125,

THE FOLLOWING SHOWS DETAILED LISTING OF THE FRAMES FROM ABOVE.

SDP:

PDU ID: SDP_ServiceSearchRequest

(22)

Transaction ID: 0x0000 Parameter Length: 8

List of Requested Services:

UUID: OBEX Object Push

Max Num Service Records to Return: 20 Bytes for continuation length: 0

Frame 34 (Slave)--- Length: 9 --- Errors: 0 --- Time: 10.08.2004 16:43:48.4867 --

SDP:

PDU ID: SDP_ServiceSearchResponse Transaction ID: 0x0000

Parameter Length: 9

Total Number of Record Matches: 1 Num Service Handles Returned: 1 Service Record Handle List:

Service Record Handle: 0x 00 01 00 01 Bytes for continuation length: 0

SDP:

PDU ID: SDP_ServiceAttributeRequest Transaction ID: 0x0001

Parameter Length: 14

Service Record Handle: 0x 00 01 00 01

Max Amount of Attribute Data to Return: 1596 List of Requested Attributes:

Attribute Range: Service Record Handle - [65535]

Bytes for continuation length: 0

SDP:

PDU ID: SDP_ServiceAttributeResponse Transaction ID: 0x0001

Parameter Length: 125

Attribute List Byte Count: 122 Attribute List:

Attribute: Service Record Handle

Service Record Handle: 0x 00 01 00 01 Attribute: Service Class ID List

UUID: OBEX Object Push Attribute: Protocol Descriptor List

UUID: L2CAP

UUID: RFCOMM

Channel Number: 2

UUID: OBEX

Attribute: Browse Group List

UUID: Public Browse Group

Attribute: Language Base Attribute ID List Language Identifier: 0x656e Character Encoding: 0x006a Language base ID: 0x0100 Attribute: Service Availability Unsigned Integer: 255

Attribute: Bluetooth Profile Descriptor List

(23)

UUID: OBEX Object Push

Version: 0x0100

Attribute: Service Name String: PIM Item Transfer Attribute: Supported Formats List

Supported Formats List: vCard 2.1 Supported Formats List: vCard 3.0 Supported Formats List: vCal 1.0 Supported Formats List: iCal 2.0 Supported Formats List: vNote Supported Formats List: vMessage

Supported Formats List: Any type of object Bytes for continuation length: 0

RFCOMM

RFCOMM is an emulation of a serial connection. It can simulate a serial transmission as well as modem signals.

RFCOMM is based on L2CAP.

The following listing shows the establishment of a RFCOMM connection. A L2CAP connection must have been established before RFCOMM can open a connection.

Frame 48 RFCOMM,Master,1,0x00,0,SABM,1,, Frame 49 RFCOMM,Slave,1,0x00,0,UA,1,,

Frame 50 RFCOMM,Master,1,0x00,0,UIH,0,Param. Neg.,4 Frame 51 RFCOMM,Slave,1,0x00,0,UIH,0,Param. Neg.,4 Frame 56 RFCOMM,Master,1,0x02,2,SABM,1,,

(24)

Frame 57 RFCOMM,Slave,1,0x02,2,UA,1,,

Frame 58 RFCOMM,Master,1,0x00,0,UIH,0,Modem Status, Frame 59 RFCOMM,Slave,1,0x00,0,UIH,0,Modem Status, Frame 60 RFCOMM,Slave,1,0x00,0,UIH,0,Modem Status, Frame 61 RFCOMM,Master,1,0x00,0,UIH,0,Modem Status, Frame 62 RFCOMM,Master,1,0x02,2,UIH,0,,

Frame 63 RFCOMM,Slave,1,0x02,2,UIH,1,,1 Frame 72 RFCOMM,Master,1,0x02,2,DISC,1,, Frame 74 RFCOMM,Slave,1,0x02,2,UA,1,, Frame 75 RFCOMM,Master,1,0x00,0,DISC,1,, Frame 76 RFCOMM,Slave,1,0x00,0,UA,1,, Frame 63 RFCOMM,Slave,1,0x02,2,UIH,1,,1 Frame 63 RFCOMM,Slave,1,0x02,2,UIH,1,,1 Frame 63 RFCOMM,Slave,1,0x02,2,UIH,1,,1 Frame 62 RFCOMM,Master,1,0x02,2,UIH,0,, Frame 63 RFCOMM,Slave,1,0x02,2,UIH,1,,1

Now you can see the frames from above in detail.

RFCOMM:

Role: Master Address: 1 Address: 0x03

DLCI: 0x00

Server Channel: 0

Direction: Responder to Initiator Command/Response: Initiator Started C/R Sequence Extension Bit: Not Extended

Frame Type: Set Async Balanced Mode Poll/Final Bit: 1

Length Extension: Not Extended Length: 0

FCS: 0x1c

Frame 49 (Slave)--- Length: 16 --- Errors: 0 --- Time: 10.08.2004 16:43:48.6479

RFCOMM:

Role: Slave Address: 1 Address: 0x03

DLCI: 0x00

Server Channel: 0

Direction: Responder to Initiator

(25)

Command/Response: Initiator Started C/R Sequence Extension Bit: Not Extended

Frame Type: Unnumbered Acknowledgement Poll/Final Bit: 1

FCS: 0xd7

RFCOMM:

DLCI: 0x00

Server Channel: 0

Frame Type: Unnumbered Info with Header Check Poll/Final Bit: 0

UIH Command/Response:

Command Type: Parameter Negotiation Command/Response: Command

Type Extension: Not Extended Length Extension: Not Extended

Length: 8

Parameter Negotiation:

DLCI: 4

Credit Based Flow Control: Sender Supports CFC Type of Frame for Information: UIH Frames

Priority: 0

Acknowledgement Timer: 0 Maximum Frame Size: 1685

Maximum Number of Retransmission: 0 Initial Number of Credits: 4

FCS: 0x70

RFCOMM:

DLCI: 0x00

Server Channel: 0

Direction: Responder to Initiator Command/Response: Responder Started C/R Sequence Extension Bit: Not Extended

Command Type: Parameter Negotiation Command/Response: Response

Length: 8

Parameter Negotiation:

DLCI: 4

(26)

Credit Based Flow Control: Responder Supports CFC Type of Frame for Information: UIH Frames

Priority: 0

Acknowledgement Timer: 0 Maximum Frame Size: 1685

Maximum Number of Retransmission: 0 Initial Number of Credits: 4

FCS: 0xaa

RFCOMM:

DLCI: 0x02

Server Channel: 2

Frame Type: Set Async Balanced Mode Poll/Final Bit: 1

FCS: 0x96

RFCOMM:

DLCI: 0x02

Server Channel: 2

FCS: 0x5d

RFCOMM:

DLCI: 0x00

Server Channel: 0

Command Type: Modem Status Command Command/Response: Command

(27)

Length: 2

Modem Status Command:

DLCI: 4

Command/Response: Command Extension Bit: Not Extended

DV - Data Valid: Valid Data Being Sent

IC - Incoming Call Indicator: No Call Incoming RTR - Ready to Receive: Ready

RTC - Ready to Communicate: Ready Flow Control: Off

Extension Bit: Not Extended FCS: 0x70

RFCOMM:

DLCI: 0x00

Server Channel: 0

Command Type: Modem Status Command Command/Response: Response

Length: 2

DLCI: 4

Extension Bit: Not Extended FCS: 0xaa

RFCOMM:

DLCI: 0x00

Server Channel: 0

Command Type: Modem Status Command

(28)

Command/Response: Command Type Extension: Not Extended Length Extension: Not Extended

Length: 2

DLCI: 4

Extension Bit: Not Extended FCS: 0xaa

RFCOMM:

DLCI: 0x00

Server Channel: 0

Command Type: Modem Status Command Command/Response: Response

Length: 2

DLCI: 4

Extension Bit: Not Extended FCS: 0x70

RFCOMM:

DLCI: 0x02

Server Channel: 2

Length Extension: Not Extended

(29)

Length: 7 FCS: 0x65

RFCOMM:

DLCI: 0x02

Server Channel: 2

Credits: 1 FCS: 0xa3

RFCOMM:

DLCI: 0x02

Server Channel: 2

Frame Type: Disconnect Poll/Final Bit: 1

FCS: 0x77

RFCOMM:

DLCI: 0x02

Server Channel: 2

FCS: 0x5d

RFCOMM:

DLCI: 0x00

Server Channel: 0

(30)

Frame Type: Disconnect Poll/Final Bit: 1

FCS: 0xfd

RFCOMM:

DLCI: 0x00

Server Channel: 0

FCS: 0xd7

RFCOMM:

DLCI: 0x02

Server Channel: 2

RFCOMM:

DLCI: 0x02

Server Channel: 2

(31)

RFCOMM:

DLCI: 0x02

Server Channel: 2

RFCOMM:

DLCI: 0x02

Server Channel: 2

FCS: 0x65

RFCOMM:

Role: Slave

Address: 1 Address: 0x11

DLCI: 0x02

Server Channel: 2

(32)

OBEX

OPP / FTP

(33)

OPP:

Data: BEGIN:VCARD ..VERSION:2.1

..N:Administrator;Vhb ..FN:Vhb Administrator

..ADR;WORK:;;Pruefeninger Str.58;Regensburg;;93049;Germany ..ORG:University of Applied Sciences Regensburg

..TEL;WORK;VOICE:+49-941-9431309

..URL;WORK:http://labserver.fh-regensburg.de/wicnet ..EMAIL;INTERNET;PREF:wicnet@fh-regensburg.de

..X-IRMC-LUID:03000000 ..END:VCARD..

LAN fehlt

DUN

(34)

The Dial-UP Networking profile works upon RFCOMM. It users the Encapsulated PPP protocol like other network connections which use a modem. So the protocols used for DUN are not very specific for Bluetooth and we want to have only a short look on it.

The Bluetooth Analyzer can also analyze and display frames in higher layers, in this case up to HTTP.

The following frame shows security problems when using unencrypted user authentication.

Frame 3,039 (Master)--- Length: 44 --- Errors: 0 --- Time: 08.08.2004 19:49:15.4

Encapsulated AsyncPPP:

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0x12c3

End Flag: 0x7e PPP:

Protocol: Password Authentication Protocol Type: Configure Request

Identifier: 5 Length: 22

ID Length: 8 Peer ID: pamiller Password Length: 8

(35)

Password: admin123

By the way, the used password is not very secure

The following listing is an example of the PPP dialog when a network connection begins.

--- Frame 3,039 (Master)--- Length: 44 --- Errors: 0 --- Time: 08.08.2004 19:49:15.4672 ---

Protocol Decodes ---

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0x12c3

End Flag: 0x7e PPP:

Protocol: Password Authentication Protocol Type: Configure Request

ID Length: 8 Peer ID: jmeier2 Password Length: 8 Password: abcdefgh

--- Frame 3,062 (Slave)--- Length: 69 --- Errors: 1 --- Time: 08.08.2004 19:49:15.6379 ---

Address/Control: Suppressed Text: #.!.. . MAXM;

PPP:

Protocol: Link Control Protocol Type: Identification

Magic Number: 0

Magic Number Data: 0x 4d 41 58

Address/Control: Suppressed Framing: Flag Suppressed

CRC: 0x1142 End Flag: 0x7e PPP:

Protocol: Password Authentication Protocol Type: Configure Ack

Message Length: 0

(36)

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0x3e62

End Flag: 0x7e PPP:

Protocol: Compression Control Protocol Type: Configure Request

CCP Option: Microsoft PPC

Length: 6

Data: 0x 00 00 00 01

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0x0cb0

End Flag: 0x7e PPP:

Protocol: Internet Protocol Control Protocol Type: Configure Request

IPCP Option: IP-Compression-Protocol

Length: 6

Comprression Protocol: Van Jacobson Compressed TCP/IP Compr. Data: 0x 0f 01

IPCP Option: IP-Address

Length: 6

Requested IP Address: 0.0.0.0 IPCP Option: Primary DNS Server Address

Length: 6

Primary DNS Address: 0.0.0.0

IPCP Option: Primary NBNS Server Address

Length: 6

Primary NBNS Address: 0.0.0.0

IPCP Option: Secondary DNS Server Address

Length: 6

Secondary DNS Address: 0.0.0.0

IPCP Option: Secondary NBNS Server Address

Length: 6

Secondary NBNS Address: 0.0.0.0

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0xab9f

End Flag: 0x7e PPP:

(37)

Protocol: Internet Protocol Control Protocol Type: Configure Ack

Length: 6

Requested IP Address: 194.95.104.200

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0x0bad

End Flag: 0x7e PPP:

Protocol: Compression Control Protocol Type: Configure Reject

CCP Option: Stac Electronics LZS

Length: 6

Data: 0x 00 01 01 03

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0x213b

End Flag: 0x7e PPP:

Protocol: Compression Control Protocol Type: Terminate Request

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0xc6b2

End Flag: 0x7e PPP:

Protocol: Multi-Link

(38)

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0xdb7c

End Flag: 0x7e PPP:

Length: 6

Primary DNS Address: 0.0.0.0

IPCP Option: Secondary DNS Server Address

Length: 6

Start Flag: 0x 7e

Address/Control: Present CRC: 0xe382

End Flag: 0x7e PPP:

Protocol: Link Control Protocol Type: Protocol Reject

Rejected Protocol: Compression Control Protocol Reject Info.: 0x 05 07 00 10 4a 72...

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0x4e75

End Flag: 0x7e PPP:

Length: 6

Comprression Protocol: Van Jacobson Compressed TCP/IP

(39)

Compr. Data: 0x 0f 01 IPCP Option: IP-Address

Length: 6

Primary DNS Address: 194.95.104.1 IPCP Option: Secondary DNS Server Address

Length: 6

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0xc225

End Flag: 0x7e PPP:

Protocol: Internet Protocol ver.4 IPv4:

Version: Internet Protocol ver. 4 Header Length: 5

Type of Service:

Precedence: 000 Routine Delay: 0 Normal

Throughput: 0 Normal Reliability: 0 Normal Reserved: 00

Total Length: 96

Identification: 0x0371 Control Flags:

Reserved: 0 DF: May Fragment MF: Last Fragment

Fragment Offset: 0 Time to live sec.: 128

Protocol: User Datagram Protocol Header Checksum: 0x0bde

Source Address: 194.95.104.223

Destination Address: 255.255.255.255

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0xab01

End Flag: 0x7e PPP:

Version: Internet Protocol ver. 4 Header Length: 5

Type of Service:

Precedence: 000 Routine Delay: 0 Normal

(40)

Throughput: 0 Normal Reliability: 0 Normal Reserved: 00

Total Length: 96

Identification: 0x0375 Control Flags:

Reserved: 0 DF: May Fragment MF: Last Fragment

Fragment Offset: 0 Time to live sec.: 128

Protocol: User Datagram Protocol Header Checksum: 0x0bda

Source Address: 194.95.104.223

Destination Address: 255.255.255.255

Start Flag: 0x 7e

Address/Control: Suppressed CRC: 0x9797

End Flag: 0x7e PPP:

BNEP fehlt

Part II - Analyzing Live Frames

Introduction

Starting the ananlyzer Syncronizing to the Piconet Measuring

Analyzing the frames Printing frames Measuring LAN Measuring DUN Questioner

INTRODUCTION

.

PC vhb12

Modem

(41)

192.168.30.159 Analyzer Interface 192.168.30.99

VHB21 is your exercise computer to which you are connected via the Windows Remote Console Interface.

On the exercise computer you have one normal Bluetooth interface to make connections to other devices. But also have an analyzer interface with which you can spy and analyse the Bluetooth traffic within reach.

You have two possible Bluetooth clients: Modem and VHB12. VHB12 is another Windows computer with the same Bluetooth interface as the exercise computer.

STARTING THE ANALYZER

This analyzer consists out of the software which you will use during this exercise and a Bluetooth adapter, which is able to spy the Air for Bluetooth frames.

For the generation of Bluetooth traffic, there is also an ANYCOM Bluetooth adapter installed which you know already from the Exercise: Installing Bluetooth.

Double click on the Analyzer icon on the Desktop.

You can see the following two windows on your screen. The upper one is the main analyzer window. The lower one is used to setup the Source (Piconet) that should be captured.

192.168.30.0 Bluetooth

PC vhb22

Bluetooth

(42)

Expand the CHANNEL MAP. This will show you all the available RF channels that can be used by Bluetooth. During the measurement the color will change indicating that traffic was recognized on the corresponding channel.

A red status symbol indicates that there is no synchronization to any Piconet in the moment.

SYNCHRONIZING TO THE PICONET

We assume you have done the exercise before and have started the analyzer.

Click on I/O PARAMETERS. The following window will be displayed.

(43)

Click on DISCOVER BLUETOOTH DEVICES. The following window is displayed.

Wait until the discovery has been finished. The window is closed automatically.

Several Bluetooth devices should have been discovered. The one we need for further analysis is vhb22. This is the Bluetooth device of this exercise computer.

Select Master Inquiry and LAP. The fields should be filled automatically with the corresponding parts of the Hardware Address of the Bluetooth device vhb22.

MAC: 00 02 72 01 00 bd Æ LAP: 01 00 bd, UAP: 72, NAP: 00 02

(44)

Click OK to go back to the Data Source Window.

Click on START SNIFFING.

The Symbol in the status field turns blue when the analyzer has synchronized to the clock of the Piconet which is the clock of the Piconet Master (vhb22). Also the channels in the

Channel Map turn over to blue one by one. It may take some time until the synchronization is done.

If the synchronization fails, click on STOP SNIFFING and go back to the I/O PARAMETERS. Check again the correct settings.

Check that vhb22 has been discovered and that the address is available in the list of Bluetooth devices in the Master Device area.

MEASURING

(45)

We assume you have done the exercise before and are synchronized to the Piconet where vhb22 is the master.

Click on the green arrow button to start capturing the frames.

In the Frame Compiler field you can see how many frames have been captured and compiled for display when you have started your Bluetooth connections.

Open the Bluetooth Application. Right click on the Bluetooth icon in the task bar…

Search for the vhb12-Test-Computer and all the available Services on that Computer.

Start the PIM Item Transfer and receive a business card from vhb12.

Go to the Main Analyzer window. In the next exercise we will analyze the frames.

ANALYZING FRAMES

Go to the Main Analyzer window.

(46)

You should see some Frames in the Frame Compiler field.

Click on the FRAME DISPLAY icon.

.

The Frame Display window has been opened showing the frames from the current measurement.

You will see many panes showing the frames in summary, detail, hex, binary and ASCII format. We would not need the hex, binary and ASCII display later. Open the VIEW menu and disable them.

There is also a register pane, where you can select the protocols you want to view. If you select for instance the RFCOMM register, you can see only those frames carrying RFCOMM information.

Check the different protocol registers (Baseband, LMP, L2CAP, RFCOMM…)

In the Detail pane you can see all layers of a frame in detail. You can expand the different layers to view more details.

Select one OBEX frame and expand all protocol layers. Go through the layers and try

to understand the displayed information.

(47)

PRINTING FRAMES

You can print your results to a local file on the exercise system. Then you can open that file and transfer the text using copy and paste to your local computer.

Open the FILE MENU and select PRINT…

(48)

Here you can setup a lot of things to format your printer output. We give you some advice to get a good print out.

In the Summary Section select NO SUMMARY SECTION.

In the Error Section select PER FRAME ERROR SETTINGS.

In the Decoder Section select ALL LAYERS.

In the Output Section select ALL FRAMES if you do not know better. You also can select frames to print in the Frame Display Window. If you have done so, choose CURRENTLY SELECTED FRAMES.

Select SEND TO FILE and choose a file name and path. You must remember them later to find the file again.

Click on PRINT.

(49)

Open the printed file on the exercise system with the Editor and SELECT ALL text.

Use COPY.

Open an editor on your local computer and use PASTE to get all text into your local file.

Stop the Measuring

Open the LIVE MENU and select CLEAR.

In the next dialog box, the system asks whether you want to save the files or drop them.

(50)

Select CLEAR BUFFER. If you save them, they will be erased on the next exercise interval.

MEASURING LAN

Check that the SNIFFING is on and the Analyzer is synchronized to vhb22.

Start the Frame Capture.

(51)

Open the Bluetooth Application, search for vhb12 and open the Network Access Point Connection.

Open the Command Prompt and enter PING 192.168.30.159 Click on STOP SNIFFING.

Open the Frame Display Window to analyze the frames.

Print all frames to a local file and copy them onto your computer Select, print and copy all frames that contain the ICMP protocol.

Select, print and copy all frames that contain SDP information.

Stop the measuring and clear the frame buffer.

MEASURING DUN

Check that the SNIFFING is on and the Analyzer is synchronized to vhb22.

(52)

Start the Frame Capture.

Open the Bluetooth Application, search for the Bluetooth Modem and open the Dial- up Networking Connection.

Open the Command Prompt and enter PING 192.168.10.140 Click on STOP SNIFFING.

Open the Frame Display Window to analyze the frames.

Print all frames to a local file and copy them onto your computer Select, print and copy all frames that contain the ICMP protocol.

Select, print and copy all frames that contain SDP information.

Stop the measuring and clear the frame buffer.

This is the end of the Bluetooth Analyzing exercise. Please feel free to continue with your own analyzes in our virtual laboratory. But please do not spy on others or use the data for unauthorized access to our lab and our other entire environment.