User manual
When the data connection is encrypted and the packets are successfully decrypted, the sniffer can determine
exactly who sent which packet (only non-empty, encrypted packets – empty packets are never encrypted). These
packets are labeled either ‘M’ for master or ‘S’ for slave.
When the data connection is unencrypted or when encrypted packets are not successfully decrypted by the
sniffer, the sniffer cannot distinguish the two devices’ (master and slave) packets by their content, just by the
packet timing. In those cases we label each device as side ‘1’ or ‘2’, not as master or slave. In each connection
event, packets sent by the device which transmitted first in the connection event are labeled ‘1’, and packets sent
by the device which transmitted second are labeled ‘2’.
If no packets in the connection event are missed by the sniffer, the device labeled ‘1’ is the master and the device
labeled ‘2’ is the slave. However, if we do not capture the very first packet in a connection event (i.e. the packet
sent by the master) but do capture the packet sent by the slave, we label the slave as side ‘1’ since it is the first
device we heard in the connection event. Because there is potential clock drift since the last connection event,
we cannot use the absolute timing to correct this error; there would still be cases where we get it wrong.
Therefore we always assign ‘1’ to the first packet in a connection event. So even though it is rare, there are
connection events where packets sent by the slave device are labeled ‘1’ and packets sent by the master are
labeled ‘2’.
Finally, in a noisy environment it is also possible that the sniffer does not capture packets in the middle of a
connection event. If this occurs and the sniffer cannot determine the side for the remaining packets in that
connection event, the side is labeled ‘U’ for “unknown”.
4.3.1.11.2 Bluetooth low energy Data Encryption/Master and Slave Assignment
A Bluetooth low energy data connection consists of connection events, which are a series of transmissions on the
same channel. In each connection event the master transmits first, then the slave, and then the devices take turns
until the connection event is finished.
When the data connection is encrypted and the packets are successfully decrypted, the sniffer can determine
exactly who sent which packet (only non-empty, encrypted packets – empty packets are never encrypted). These
packets are labeled either ‘M’ for master or ‘S’ for slave.
When the data connection is unencrypted or when encrypted packets are not successfully decrypted by the
sniffer, the sniffer cannot distinguish the two devices’ (master and slave) packets by their content, just by the
packet timing. In those cases we label each device as side ‘1’ or ‘2’, not as master or slave. In each connection
event, packets sent by the device which transmitted first in the connection event are labeled ‘1’, and packets sent
by the device which transmitted second are labeled ‘2’.
If no packets in the connection event are missed by the sniffer, the device labeled ‘1’ is the master and the device
labeled ‘2’ is the slave. However, if we do not capture the very first packet in a connection event (i.e. the packet
sent by the master) but do capture the packet sent by the slave, we label the slave as side ‘1’ since it is the first
device we heard in the connection event. Because there is potential clock drift since the last connection event,
we cannot use the absolute timing to correct this error; there would still be cases where we get it wrong.
Therefore we always assign ‘1’ to the first packet in a connection event. So even though it is rare, there are
connection events where packets sent by the slave device are labeled ‘1’ and packets sent by the master are
labeled ‘2’.
Finally, in a noisy environment it is also possible that the sniffer does not capture packets in the middle of a
connection event. If this occurs and the sniffer cannot determine the side for the remaining packets in that
connection event, the side is labeled ‘U’ for “unknown”.
4.3.1.11.3 Bluetooth low energy Decryption Status
TELEDYNE LECROY Chapter 4 Capturing and Analyzing Data
56 Frontline BPA low energy Hardware & Software User Manual