Home
/
Teledyne Lecroy
/
Frontline BPA 600
/
Hardware And Software User Manual

Teledyne Lecroy Frontline BPA 600, Hardware And Software User Manual, Page: 311 / 348

Share

Page: 311 / 348

Teledyne Lecroy Frontline BPA 600 Hardware And Software User Manual Download Page 311

A.3 Decrypting Encrypted Bluetooth

®

data with ComProbe BPA 600

A.3.1 How Encryption Works in

Bluetooth

Bluetooth

devices on an encrypted link share a common “link key” used to exchange encrypted data. How

that link key is created depends on the paring method. Paring methods have evolved and changed throughout

Bluetooth

history. The earlier legacy method was used up through

Bluetooth

2.0. Improved and simpler

pairing methods began with Bluetooth 2.1 and remain in the current version

Bluetooth

4.0.

For a

Bluetooth

sniffer to be able to decrypt the encrypted data, it must also have this shared link key. For

obvious security reasons, the link key is never sent over the air, so either the user must get the key out of one
of the devices being sniffed and supply the key to the sniffer or the sniffer must create the key itself.

A.3.2 Legacy Pairing (

Bluetooth

2.0 and earlier)

In legacy pairing, this link key is derived from a shared PIN code, the master’s

Bluetooth

clock, the master’s

BD_ADDR and a random number that is passed between the two devices. If the sniffer has all of this same
data, it can create the link key in the same way that the devices do. The sequence of events used to create
this key, or pairing process, is shown in the ComProbe software Frame Display below.

Frontline BPA 600 Hardware & Software User Manual

303

«
...
309
310
311
312
313
...
»

Summary of Contents for Frontline BPA 600

Page 1: ...Hardware and Software User Manual Revision Date 3 14 2017...

Page 2: ...trademarks of Teledyne LeCroy Inc l BPA 600 l Audio Expert System l Audio Rating Metric l ProbeSync The Bluetooth SIG Inc owns the Bluetooth word mark and logos and any use of such marks by Teledyne...

Page 3: ...Control Window 9 2 3 1 Control Window Toolbar 9 2 3 2 Configuration Information on the Control Window 10 2 3 3 Status Information on the Control Window 10 2 3 4 Frame Information on the Control Windo...

Page 4: ...iding Context For Decoding When Frame Information Is Missing 74 4 3 Analyzing Protocol Decodes 75 4 3 1 The Frame Display 75 4 3 2 Bluetooth Timeline 111 4 3 3 low energy Timeline 126 4 3 4 Coexistenc...

Page 5: ...234 4 7 6 Switching Between Live Update and Review Mode 235 4 7 7 Data Formats and Symbols 235 4 8 Data Audio Extraction 239 Chapter 5 Navigating and Searching the Data 243 5 1 Find 243 5 1 1 Searchin...

Page 6: ...Locations 274 7 1 3 Side Names 276 7 1 4 Timestamping 277 7 2 Technical Information 279 7 2 1 Performance Notes 279 7 2 2 BTSnoop File Format 280 7 2 3 Ring Indicator 282 7 2 4 Progress Bars 283 7 2...

Page 7: ...4 4 Encrypting the Link 313 A 4 5 Encryption Key Generation and Distribution 313 A 4 6 Encrypting The Data Transmission 314 A 4 7 Decrypting Encrypted Data Using Frontline BPA 600 low energy Capture 3...

Page 8: ...iffing and Bluetooth Stack Vendors 329 A 6 8 Case Studies Virtual Sniffing and Bluetooth Mobile Phone Makers 330 A 6 9 Virtual Sniffing and You 330 TELEDYNE LECROY vii Frontline BPA 600 Hardware Softw...

Page 9: ...rontline analyzers use the same powerful Frontline software to help you test troubleshoot and debug communications faster Frontline software is an easy to use and powerful protocol analysis platform S...

Page 10: ...and how to observe the captured packets frames layers and events l Chapter 5 Navigating and Searching the Data Here you will find how to move through the data and how to isolate the data to specific...

Page 11: ...tures for conducting the protocol analysis 2 1 BPA 600 Hardware 2 1 1 Attaching Antennas When you remove the Frontline BPA 600 hardware from the box the first step is to attach the antennas Figure 2 1...

Page 12: ...e USB cable into the USB port on the Frontline BPA 600 hardware The Frontline BPA 600 analyzer requires no external power Figure 2 4 Figure 2 4 BPA 600 USB Connector 2 Insert the other end of the USB...

Page 13: ...s section describes how to load TELEDYNE LECROY Frontline Protocol Analysis System software and how to select the data capture method for your specific application 2 2 1 Opening Data Capture Method On...

Page 14: ...ut F1 Select Data Capture Method dialog buttons 3 Expand the folder and select the data capture method that matches your configuration 4 Click on the Run button and the Frontline Control Window will o...

Page 15: ...e User Manual and maintenance tools 2 2 2 Frontline BPA 600 Data Capture Methods Frontline Protocol Analysis System has different data capture methods to accommodate various applications Figure 2 8 BP...

Page 16: ...low energy Bluetooth sniffing and 802 11 l ProbeSync configurations include o Two BPA 600 units o One BPA 600 unit and one 802 11 unit o One BPA 600 unit and one HSU unit o One BPA 600 unit one HSU un...

Page 17: ...g data contained in the current file Because you cannot capture data while using Capture File Viewer data capture functions are unavailable For example when viewing Ethernet data the Signal Display is...

Page 18: ...Opens Bluetooth Protocol Expert System window Audio Expert System Opens Audio Expert System window Table 2 2 Control Window Toolbar Icons continued 2 3 2 Configuration Information on the Control Windo...

Page 19: ...on off with Ctrl D but it is available only during a live capture l 132911 displays the total frames decoded l 100 displays the percentage of buffer space used 2 3 5 Control Window Menus The menus app...

Page 20: ...a packet chronological format and in packet throughput graph Coexistence View Opens the Coexistence View window that can simultaneously display Classic Bluetooth Bluetooth low energy and 802 11 packet...

Page 21: ...ly to all Frontline products except Set in Target Live Start Capture Shift F5 Begins data capture from the configured wireless devices Stop Capture F10 Stops data capture from the configured wireless...

Page 22: ...tem allows the user to define any number of parameters and save them in templates for later use Each entry in the window takes effect from the beginning of the capture onward or until redefined in the...

Page 23: ...windows are open the menu will display these selections Clicking on the selection will bring that window to the front Table 2 7 Control Window Windows Menu Selections Mode Selection Hot Key Descripti...

Page 24: ...to update your ComProbe hardware with the latest firmware It is very important that you update the firmware If the firmware versions are not the same you will not be able to start sniffing Figure 3 1...

Page 25: ...ou can enter the devices as follows where Classic Device drop down controls have reversed the devices under test shown in the previous image Figure 3 3 Example BPA 600 roleless Connection Switching DU...

Page 26: ...to save the configuration if you made changes but did not begin sniffing All settings are saved automatically when you start sniffing Help button opens the help file Grayed out icons are inactive and...

Page 27: ...e of other functions on the dialog that you need to understand Advanced Click here to see the BPA 600 Advanced Classic Settings Channel Map Classic Bluetooth The Channel Map shows which channels are a...

Page 28: ...e also reset whenever a new Channel Map goes into effect Note Channel Map is not available for LE Only Status Window A status window at the bottom of the dialog displays information about recent activ...

Page 29: ...y simply click the red button to start The analyzer will capture packets from the first Master that makes a connection To capture the advertising traffic and the connection s you must specify a device...

Page 30: ...device that wants to establish an encrypted connection to that slave in the future Thus the long term key is transmitted over the air albeit encrypted with a one time key derived during the pairing p...

Page 31: ...er Test Classic Only Single Connection Specifying the Bluetooth Device Address BD_ADDR Select the Bluetooth device address BD_ADDR form the Classic Device drop down list or from the Device Database Yo...

Page 32: ...When you select a method a note appears at the bottom of the dialog reminding you what you need to do to successfully complete the dialog l The first and second options use a PIN Code to generate the...

Page 33: ...he devices are in the Secure Simple Pairing SSP Debug Mode SSP is automatically supported regardless of encryption configuration o If any one of the Bluetooth devices is in SSP Debug Mode then the BPA...

Page 34: ...to know the Bluetooth Device Address BD_ADDR for each device but it does not need to know which is master or slave for the Classic Bluetooth connection ComProbe analyzser can figure that out for you...

Page 35: ...te the Link Key The devices generate link Keys during the Pairing Process based on a PIN Code The second Link Key generated from this process is also based on a random number so the security cannot be...

Page 36: ...and used to derive a fresh encryption key each time the devices go encrypted There are a few differences though In Classic the Link key is derived from inputs from both devices and is calculated in th...

Page 37: ...One of two pieces of data allow alternative pairing 1 PIN is a six digit or less if leading zeros are omitted decimal number 2 Out of Band OOB data is a 16 digit hexadecimal code which the devices exc...

Page 38: ...but it does not need to know which is master or slave as the ComProbe analyzer can figure that out for you through roleless connection You can also manually specify the Bluetooth Device Address Select...

Page 39: ...mpromised If the analyzer is given the PIN Code it can determine the Link Key using the same algorithm Since the analyzer also needs the random number the analyzer must catch the entire Pairing Proces...

Page 40: ...t Link Key for encryption than is used during normal Bluetooth device operation Debug Mode is activated in the Host Controller to allow for data analysis Once the analysis is complete Debug Mode can b...

Page 41: ...x78 0x9a 0xbc LSB MSB BYTE abytAddressDevice2 sizeAddressDevice 0x21 0x43 0x65 0x87 0xa9 0xcb BYTE abytLinkKey EncryptionKeySize 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0xff 0...

Page 42: ...riendly name of the device Services An attribute of the Class of Device COD such as Networking Rendering Audio etc Data provided from devices supporting Extended Inquiry Response EIR during discovery...

Page 43: ...n discovered or entered by the user These devices are also listed in the Device Database but this dataabase list contains additional information specific only to Bluetooth low energy technology Figure...

Page 44: ...Editing IRK Field When editing the BD_Addr Type field Tab to toggle appears Press the keyboard Tab key until your selected device address type appears LE Device Database Fields In the LE Device Databa...

Page 45: ...isplayed in the text window is the serial number of the connected BPA 600 devices To update the device list click Refresh Device List l If you want to load the latest ComProbe BPA 600 hardware firmwar...

Page 46: ...option some frames may be dropped but establishing the decryption key will be more efficient l Sniffer Diagnostics When this is checked some diagnostic data from the ComProbe are captured and stored...

Page 47: ...The Advance Classic Settings dialog will close 3 In the Devices Under Test tab click on Classic Only Single Connection 4 In the Classic Device drop down lists select the address of the devices to be...

Page 48: ...nd frame then the decode for the response may be incomplete The Set Initial Decoder Parameters window allows you to supply the context for any frame The dialog allows you to define any number of param...

Page 49: ...Initial Decoder Parameters window takes effect from the beginning of the capture onward or until redefined in the Set Subsequent Decoder Parameters dialog Override Existing Parameters The Set Subseque...

Page 50: ...e the selected decode parameter override l The Remove All button will remove all decoder overrides If you do not have decoders loaded that require parameters the menu item does not appear and you don...

Page 51: ...ecoder Parameters window to apply the template and close the dialog Save Changes to a Template This procedure saves changes to parameters in an existing template 1 After making changes to parameter se...

Page 52: ...the detail level of decoding using the Set Initial Decoder Parameters window Note By default the decoder decodes only the header fields of the frame 1 Select Set Initial Decoder Parameters from the Op...

Page 53: ...P Recovery o Raw Data Adding Deleting and Saving AVDTP Parameters 1 From the Set Initial Decoder Parameters window click on the AVDTP tab 2 Set or select the AVDTP decoder parameters 3 Click on the AD...

Page 54: ...the capture session may help you decide how to respond to the request for decoding information If you are not sure of the payload carried by the subject frame look at the raw data shown data in the De...

Page 55: ...VDTP configuration information may not be transferred over the air we give users the ability to choose between the four AVDTP channel types for each L2CAP channel carrying AVDTP as well as codec type...

Page 56: ...ote If the capture has no user defined overrides then the system displays a dialog stating that no user defined overrides exist 3 2 4 L2CAP Decoder Parameters 3 2 4 1 About L2CAP Decoder Parameters Ea...

Page 57: ...l SDP l RFCOMM l TCS l LPMP l BNEP l HCRP Control l HCRP Data l HID l AVCTP l AVDTP l CMTP l MCAP Control l IEEE P11073 20601 l Raw Data Adding Deleting and Saving L2CAP Parameters 1 From the Set Ini...

Page 58: ...the needed changes Refer to 3 Change the L2CAP parameter by selecting from the rule to change and click on the listed parameters 4 If you wish to remove an overridden rule click on Remove Override bu...

Page 59: ...he Set Initial Decoder Parameters window click on the RFCOMMtab 2 Set or select the RFCOMMdecoder parameters 3 Click on the ADD button The Initial Connection window displays the added parameters Figur...

Page 60: ...ollowing the one in question The data may not be recognizable to the analyzer at the current point due to connection setup but might be discovered later on in the capture 3 2 5 3 RFCOMM Override Decod...

Page 61: ...ges to the MeshOptions ini file For Bluetooth technology using mesh networking Name Enter as Description Technology Identifier mesh Identifies the beginning of a set of mesh keys Friendly Name string...

Page 62: ...separated Name the network name passphrase the network key If not present a key is not necessary Table 3 8 CSRmesh Key Set Format The following code is an example of CSRmesh decryption key set entry c...

Page 63: ...th low energy ATT Decoder Handle Mapping on page 286 Mesh in the Frame Display In the Frame Display Summary pane Mesh tabs appear for MTP MASP and MCP The CSRMesh MTP tab displays the MASP and MCP pro...

Page 64: ...der pane inset with the Network Info passphrase and network key and network name shown The network name appears in the Network column of the Summary pane Figure 3 35 CSRMesh MCP tab with Decoder pane...

Page 65: ...tected Error l The term Most is used because it excludes Mesh Association Protocol MASP packets MASP packets use a constant Passphrase of 0x00 MASP Figure 3 36 CSRmesh Bad MAC l An error message will...

Page 66: ...ctly connect the Device Under Test DUT to the analyzer s antenna connectors The coaxial cable provides the isolation from the environment through shielding 3 4 1 Classic Bluetooth Transmitter Classes...

Page 67: ...eering judgment is essential to protecting both the Frontline low energy protocol analyzer and the devices under test from power levels that could cause damage The procedures contained here are genera...

Page 68: ...Each coaxial cable going to a ComProbe analyzer antenna connector carries 14 dBm 25 mW l If DUT1 or DUT2 is a Class 2 device 8 dBm 6 25 mW will reach each ComProbe analyzer antenna connector If they...

Page 69: ...capture of the data with the Frontline protocol analyzer 4 Conduct protocol analysis with the Frontline software on the personal computer or save the capture file for future analysis TELEDYNE LECROY...

Page 70: ...th by 20 dB by each 10 to 1 increase in range In the real world the effects of objects in an outdoor environment cause reflection diffraction and scattering resulting in greater signal losses Indoors...

Page 71: ...Frontline hardware and the DUTs because they cause a reduction in signal strength Obstructions include but are not limited to water bottles coffee cups computers computer screens computer speakers an...

Page 72: ...es is not optimum because normally only one device is sending data to the other It is recommended that the Frontline hardware be positioned closer to the device receiving data so that Frontline better...

Page 73: ...iring process between the devices Only if you are using Classic or Classic low energy Low energy by itself does not require that devices be paired As data is being captured the Capture Status message...

Page 74: ...rt Capture icon again to resume capture Stopping capture means no data will be added to the capture file until capture is resumed but the previously captured date remains in the file l To clear captur...

Page 75: ...e synchronized Four links result when each BPA 600 analyzer is configured for Classic Only Multiple Connections with two links per BPA 600 device When configured for synchronization through ProbeSync...

Page 76: ...ly synchronize communications stream and to display resulting packets in a single shared view The ComProbe BPA 600 ComProbe 802 11 and ComProbe HSU analyzers have ProbeSync capability allowing timesta...

Page 77: ...T an error message will appear Follow the instructions in error message To continue click on the OK button The ComProbe device datasource Status window will also display a warning message suggesting i...

Page 78: ...Inquire Response EIR displays extensive information about the Bluetooth devices that are discovered as data is being captured EIR provides more information during the inquiry procedure to allow better...

Page 79: ...on page 72 1 If you select a custom stack i e one that was defined by a user and not included with the analyzer the Remove Selected Item From List button becomes active 2 Click the Remove Selected It...

Page 80: ...ck it or select it and click the left arrow button 4 If you need to change the order of the protocols in the stack select the protocol you want to move and click on the Move Up and Move Down buttons u...

Page 81: ...the Protocol Stack Wizard 1 Load your capture file by choosing Open from the File menu on the Control window and select the file to load 2 Select the protocol stack by choosing Protocol Stack from th...

Page 82: ...using those channel IDs it can look them up in its table and know what the next protocol is In order for the analyzer to be able to auto traverse using a dynamically assigned PSM it has to have seen t...

Page 83: ...ons menu 3 This option brings up a dialog showing all the places where context data was overridden 4 If you know that information is missing you can t provide it and you don t want to see dialogs aski...

Page 84: ...ery protocol Click here for an explanation of the symbols next to the frame numbers l Decode Pane The Decode Pane displays a detailed decode of the highlighted frame Fields selected in the Decode Pane...

Page 85: ...the Bluetooth low energy group Select the Unfiltered tab to display all packets There are several special tabs that appear in the Summary Pane when certain conditions are met These tabs appear only i...

Page 86: ...display Event Display Brings the Event Display window to the front Show Message Sequence Chart Message Sequence Chart MSC displays information about the messages passed between protocol layers Duplica...

Page 87: ...rt System Opens Bluetooth Expert System window Audio Expert System Opens Audio Expert System Window Reload Decoders When Reload Decoders is clicked the plug ins are reset and received frames are re de...

Page 88: ...buffer Next Frame Moves to the next frame in the buffer Last Frame Moves to the last frame in the buffer Find on Frame Display only searches the Decode Pane for a value you enter in the text box Find...

Page 89: ...of selected highlighted frames and the total number of selected frames in parentheses l Total Frames The total number of frames in the capture buffer or capture file in real time l Frames Filtered In...

Page 90: ...ys 0x03 4 3 1 5 Sorting Frames By default frames are sorted in ascending numerical sequence by frame number Click on a column header in the Summary pane to sort the frames by that column For example t...

Page 91: ...elected The next occurrence of the value if it is found will be highlighted in the Decode Pane 4 Select Find Previous Occurrence or Find Next Occurrence to continue the search There are several import...

Page 92: ...splay is synchronized with the Event Display Click on a frame in the Frame Display and the corresponding bytes is highlighted in the Event Display Each Frame Display has its own Event Display As an ex...

Page 93: ...ay have to stop filtering until the data is captured 4 3 1 9 Working with Panes on Frame Display When the Frame Display first opens all panes are displayed except the Event pane To view all the panes...

Page 94: ...the Summary pane Filtered out frames are not exported l Selected Frames export is the same as All Frames export except that only frames selected in the Summary pane will be exported Figure 4 18 Byte E...

Page 95: ...cluded for each frame depends on the protocol selected in the summary layer box located directly below the main toolbar On a two channel circuit the background color of the one line summary indicates...

Page 96: ...tooth low energy green 802 11 orange USB purple and SD brown The General group applies to all technologies The other groups are technology specific Figure 4 21 Example Protocol Tags l Clicking on a pr...

Page 97: ...ish the two devices master and slave packets by their content just by the packet timing In those cases we label each device as side 1 or 2 not as master or slave In each connection event packets sent...

Page 98: ...ment it is also possible that the sniffer does not capture packets in the middle of a connection event If this occurs and the sniffer cannot determine the side for the remaining packets in that connec...

Page 99: ...Column or Show Delta Column Follow the same procedure to display the columns again Moving Columns Changing Column Order To move a column 1 Click and hold on the column header 2 Drag the mouse over th...

Page 100: ...xpand a layer The plus sign changes to a minus sign Click on the minus sign to collapse a layer Select Show All or Show Layers from the Format menu to expand or collapse all the layers Layers retain t...

Page 101: ...pane displays the logical bytes rather than the physical bytes the data in the Character pane may be different from that in the Event pane See Physical vs Logical Byte Display for more information Col...

Page 102: ...ext in the Binary Radix or Character panes in Frame Display the text is displayed with a highlight color You can change the color of the highlight 1 Select Change Text Highlight Color from the Options...

Page 103: ...nge and return to Frame Display Select Cancel to discard any selection Select Defaults to return the highlight colors to the default settings Figure 4 23 Frame Display Protocol Layer Color Selector 4...

Page 104: ...ee special purpose filters that are treated as protocol filters l All Frames with Errors l All Frames with Bookmarks l All Special Information Nodes Named Filters l Named filters test for anything oth...

Page 105: ...list 4 Set the parameters for the selected condition in the fields provided The fields that appear in the dialog box are dependent upon the previous selection Continue to enter the requested parameter...

Page 106: ...en you create a Name Filter it appears in the Quick Filtering dialog where you can use it do customize the data you see in the Frame Display panes 1 Select a frame in the Frame Display Summary Pane 2...

Page 107: ...e dialog box and repeat steps 4 and 5 for the next condition Use the up and down arrow icons on the left side of the dialog box to order your conditions and the delete button to delete conditions from...

Page 108: ...frames where the top node address is the source and the double arrow filters on all frames where the top node address is either the source or the destination 6 If you want to filter on just one node a...

Page 109: ...from the combo box 3 Click the Hide button The Hide button is only showing if the selected filter is currently showing in the Frame Display 4 Click OK The Hide Show Filters dialog box closes and the s...

Page 110: ...arameters the Set Condition dialog box may display additional fields that were not present in the original filter In the event this occurs continue to enter the requested parameters in the fields prov...

Page 111: ...ed Condition dialog Ensure that the filter name is displayed in the text box at the top of the dialog and click OK If you choose to create an additional filter then provide a new name for the filter c...

Page 112: ...the ComProbe software assigns to identify a pair of devices in a BR EDR connection In the Frame Display details pane the Baseband layer contains the link ID field if the field s value is not 0 An Acc...

Page 113: ...ering out any other technology frames l HCI o All will filter in all HCI frames You are in effect filtering out any other technology frames Figure 4 31 Connection Filter from the Frame Display Menu Fr...

Page 114: ...a Classic Bluetooth link or a Bluetooth low energy access address an additional pop up menu item will appear as shown in the example image below This selection is a predetermined filter based on your...

Page 115: ...The original Frame Display will remain open and can be minimized Note The system currently limits the number of frame displays to 5 This limit includes any Frame Displays opened using Duplicate View...

Page 116: ...he filtered display there are four low energy protocol tabs as compared to nine in the original display This access address connection is not using five of the protocols From any open Frame display th...

Page 117: ...tion Filter selecting All 802 11 frames front 4 3 1 13 3 Protocol Filtering from the Frame Display 4 3 1 13 3 1 Quick Filtering on a Protocol Layer On the Frame Display click the Quick Filtering icon...

Page 118: ...n the right is the Named Filters It contains filters that you create using the Named Filter and Set Condition dialogs When you select the checkbox for the Name Filters a tab appears on the Summary Pan...

Page 119: ...st and 14 being strongest The BPA 600 firmware uses the built in radio firmware features to calculate the Signal Strength value of the signal received at the ComProbe hardware This calculated value is...

Page 120: ...time segments flow left to right and down following a complete row across Then you move down to the next row go across then down to the next row just like reading a book upper left corner to lower rig...

Page 121: ...cket on wire reference rectangle light solid lines This indicates the packet in the air with a max payload l A max actual payload reference rectangle dark solid lines This indicates a max payload as w...

Page 122: ...es is 1 3 of the total height l The part of the max packet on wire reference rectangle light solid lines that trails the max actual payload reference rectangle dark solid lines is partly packet in the...

Page 123: ...device X X Duration X Size in bytes X X Size as a percent of max size for that packet type X X Speed X Status X X Table 4 5 Packet Information Presentation 4 3 2 2 Bluetooth Timeline Packet Navigation...

Page 124: ...key goes to the next packet The Ctrl left arrow key goes to the previous error packet The Ctrl right arrow key goes to the next error packet 4 3 2 3 Bluetooth Timeline Toolbar The toolbarbar contains...

Page 125: ...enu Selection Description File Reset Resets Timeline to display beginning at current frame Available only in Live mode Exit Closes the timeline window Table 4 6 Bluetooth Timeline Menus TELEDYNE LECRO...

Page 126: ...point where the tool is clicked Selection Tool 12 Slots 3x4 Display 12 timeline slots arranged in row x time slots that is three row with 4 time slots 36 Slots 6x6 Displays 36 slots 144 Slots 12x12 D...

Page 127: ...Error Packet Goes to the first error packet following the current selection If there are no error packets available this item is not active Keyboard Shortcut Ctrl Right Arrow Toggle Display Lock Avai...

Page 128: ...g the Show slave LT_ADDR checkbox shows all existing slave device sub rows with numbered labels some or all of S1 S2 S7 l Bluetooth Clock The Bluetooth clock of the first slot in each row is shown und...

Page 129: ...by right clicking on the Timeline window A couple of things to remember about Zooming l Zoom tools accessed using the right click menu allow you to maintain the current position on the screen and prec...

Page 130: ...l 1 second throughput is not an average It is simply the total payload over the most recent one second of duration Since it s not an average it behaves differently than average throughput In particul...

Page 131: ...t can be moved by clicking elsewhere in the graph or by dragging Whenever it is moved the timeline scrolls to match When the slot range in the timeline changes the view port moves and resizes as neces...

Page 132: ...Select a location where you want to save the file Note In live mode default path name is C Users Public Public Documents Frontline Test Equipment My Log Files PayloadThroughputOverTime csv In view mod...

Page 133: ...Discontinuities The following figure depicts a discontinuity between two packets Figure 4 41 Bluetooth Timeline Packet Discontinuity cross hatched area To keep the timeline and the throughput graph m...

Page 134: ...ooth clock such as HCI won t be shown Figure 4 42 Missing packets message in timeline pane 4 3 3 low energy Timeline The Bluetooth low energy Timeline displays packet information with an emphasis on t...

Page 135: ...oughput packets that have a CRC error are excluded 4 3 3 1 low energy Timeline Toolbar The toolbar contains the following Icon Description Lock The Lock button only appears in live mode and is automat...

Page 136: ...imeline display This does not affect the data in Frame Display Resetting the display may be useful when the most recent throughput values are of interest Table 4 7 Bluetooth low energy Timeline Toolba...

Page 137: ...5 ms segment with 100 markers 437 5 ms 1x350 Displays one 437 5 ms segment with 350 markers 1 875 s 1x1500 Displays one 1 875 s segment with 1500 markers 3 75 s 1x3000 Displays one 3 75 ms segment wit...

Page 138: ...1800 1 25 ms time intervals 60x30 60 segments 30 markers per segment 2 7225 s 2178 1 25 ms time intervals 66x33 66 segments 33 markers per segment 3 24 s 2592 1 25 ms time intervals 72x36 72 segments...

Page 139: ...Previous Error Packet Goes to the first error packet prior to the current selection If there are no error packets available this item is not active Keyboard Shortcut Ctrl Left Arrow Next Error Packet...

Page 140: ...displays the maximum throughput seen so far l A horizontal bar indicates percentage of max seen up to that point and text gives the actual throughput 4 3 3 6 Average and 1 Second Payload Throughput T...

Page 141: ...put You may want to include Message Integrity Checks in your throughput even though MIC is not application data MICs are transmitted and you may want to included in the throughput as a measure of how...

Page 142: ...packets within a specific period of time Time is shown as one or more contiguous segments Within each segment are one or more source access address or radio rows Figure 4 46 Bluetoothlow energy Timeli...

Page 143: ...the segments are contiguous in multiple segment displays the rows in each segment are identical In the following diagram we see a three segment display showing the timeline flow Figure 4 47 Diagram of...

Page 144: ...on l The Timeline and Frame Display are synchronized so the packet range selected by the user in one is automatically selected in the other For the selected packet range the Timeline shows various dur...

Page 145: ...d to the beginning or end of any packet by right clicking on a packet and selecting Align Time Marker to Beginning of Packet or Align Time Marker to End of Packet All other markers will shift relative...

Page 146: ...nings of the first and last packets selected o Span Duration between the beginning of the first selected packet and the end of the last selected packet Figure 4 54 Bluetooth le Timeline Packet Info Li...

Page 147: ...shed line in the throughput graph When the timestamp delta is greater than 4 01 seconds the discontinuity is a cosmetic convenience that avoids excessive empty space When the timestamp delta is negati...

Page 148: ...l subsequent selected next packets will appear on the right of the bottom segment l Multiple packets are selected either by dragging the mouse or by holding down the shift key while navigating or clic...

Page 149: ...Contiguous time segment x n where x is 1 2 3 segment and n is the total number of segments For example Contiguous time segment 2 3 4 3 3 15 Zoom menu Figure 4 56 low energy Timeline Zoom menu TELEDYN...

Page 150: ...ph in 1 segment with 27 markers The scroll bar at the bottom of the segment will scroll the throughput graph view port 4 3 3 17 Multiple Segments Zoom Menu Multiple Segment Each selection defines the...

Page 151: ...n one view You access the Coexistence View by clicking its button in the Control window or Frame Display toolbars or Coexistence View from the View menus Figure 4 57 Coexistence View Window 4 3 4 1 Co...

Page 152: ...or Throughput Indicators When checked all captured packets are used for average throughput calculations and all packets in the last one second of the capture session are used for the 1 sec throughput...

Page 153: ...HZ Timelines When checked the 2 4 GHz Timeline and the 5GHZ Timeline is visible Performs the same function as the Timeline Both radio button Show Timelines Which Have or Had Packets Auto Mode When che...

Page 154: ...ot checked the y axis scales are unfroozen Performs the same function as the Unfreeze Y button which appears with the Zoomed Throughput Graph See on page 157 Show Tooltips in Upper Left Corner of Scre...

Page 155: ...wport and the Timeline to a fixed time duration 300 usec 625 usec 1 Bluetooth slot 1 25 msec 2 Bluetooth slots 1 875 msec 3 Bluetooth slots 2 5 msec 4 Bluetooth slots 3 125 msec 5 Bluetooth slots 6 25...

Page 156: ...imeline Performs the same function as the Previous Retransmitted Packet button Next Retransmitted Packet When clicked selects the next retransmitted packet from the current selection and displays it i...

Page 157: ...egend Refer to on page 161 Performs the same functions as the Next Legend Packet button Last Legend Packet When clicked selects the last legend packet in the session and displays it in the Timeline Th...

Page 158: ...elected in the legend Move to the previous packet of the type selected in the legend Move to the next packet of the type selected in the legend Move to the last packet of the type selected in the lege...

Page 159: ...luded packets divided by the duration of the included packets where l Packet size is used if the Packet or Both radio button is selected in the Throughput group l Payload size is used if the Payload r...

Page 160: ...re used for average throughput and packets in the 1 second duration ending at the end of the last selected packet are used for 1 second except that Bluetooth low energy packets from non configured dev...

Page 161: ...throughput indicators show a plus sign when the indicator width is exceeded Figure 4 63 A single selected packet Click here to see a video on how the Throughput is calculated 4 3 4 10 Coexistence Vie...

Page 162: ...3 4 12 Excluded packets Retransmitted packets and bad packets packets with CRC or Header errors are excluded from throughput calculations 4 3 4 13 Tooltips Placing the mouse pointer on a data point s...

Page 163: ...re than 4 01 s is called a positive discontinuity and is shown in black A positive discontinuity is a cosmetic nicety to avoid lots of empty space A negative discontinuity is an error Figure 4 67 A ne...

Page 164: ...techniques See the Zooming subsection in the Timeline section for a complete list 4 3 4 16 Swap button The Throughput Graph and Timeline can be made to trade positions by clicking the Swap button Clic...

Page 165: ...on Display 4 3 4 18 Zoomed Throughput Graph Clicking the Show Zoom button displays the Zoomed Throughput Graph above the Throughput Graph The Zoomed Throughput Graph shows the details of the throughpu...

Page 166: ...to compare different time ranges or durations Clicking the Freeze Y button freezes the y axis scales and makes it possible to compare all time ranges and durations the name of the button changes to Un...

Page 167: ...ound the point in time where the zoom cursor is positioned When the zoom cursor is outside the Timelines and the Zoomed Throughput Graph the left edge of those displays is the zoom point 4 3 4 20 Comp...

Page 168: ...timelines All source MAC addresses that have been seen during this session are listed in the dialog that appears when the Set button is clicked Also listed is the last source MAC address that was set...

Page 169: ...Auto button shows only timelines which have had packets at some point during this session If no packets have been received at all and the Auto button is selected the 2 4 GHz timeline is shown 4 3 4 24...

Page 170: ...Click here to see a Coexistence View Timeline video Figure 4 79 Coexistence View Timelines The Timelines show Classic Bluetooth Bluetooth low energy and 802 11 packets by channel and time 4 3 4 27 Pa...

Page 171: ...ws a selection box around it as shown above and highlights the applicable entries in the legend Figure 4 81 Highlighted entries in the legend for a selected packet Summary information for a selected p...

Page 172: ...ogy that gives detailed information Figure 4 85 A tool tip for a Classic Bluetooth packet 4 3 4 28 Relocating the tool tip You can relocate the tool tip for convenience or to see the timeline or throu...

Page 173: ...e tool tip adjacent to the packets deselect the tool tip format option in the menu Figure 4 86 Coexistence View Format Menu Show Tooltips on Computer Screen TELEDYNE LECROY Chapter 4 Capturing and Ana...

Page 174: ...s available for viewing one for the 5 GHz range and one for the 2 4 GHz range Classic Bluetooth and Bluetooth low energy occur only in the 2 4 GHz range 802 11 can occur in both Figure 4 88 5 GHz and...

Page 175: ...viewport in the Throughput Graph as it must since the viewport defines the time range used by the timelines When no packets are in the time range each of the two packet numbers is drawn with an arrow...

Page 176: ...s indicated in the Selected Packets text in the timeline header 7 Select the Custom Zoom menu item This is the zoom level from the most recent drag of a viewport side selection of Zoom to Data Point P...

Page 177: ...shown followed by rel When there are no discontinuities relative and absolute time are the same and a single value is shown Figure 4 94 Timeline header with discontinuity Figure 4 95 Timeline duratio...

Page 178: ...luetooth packets have a blue frequency box and a two tone tool tip 4 3 4 34 Coexistence View No Packets Displayed with Missing Channel Numbers Note This topic applies only to Classic Bluetooth Capture...

Page 179: ...e View is essentially the Viewport from the standard Coexistence View When viewing High Speed Live only 802 11 traffic is visible Because Bluetooth packets are slow they are not visible in High Speed...

Page 180: ...3 5 Message Sequence Chart MSC The Message Sequence Chart MSC displays information about the messages passed between protocol layers MSC displays a concise overview of a Blutetooth connection highligh...

Page 181: ...ur icons that you use to zoom in and out of the display vertically and horizontally The same controls are available under the View menu There are three navigation icons also on the toolbar This takes...

Page 182: ...ed The information in the colored boxes displays general information about the messaging The same is true for each one of the protocols If you want to see the all the messaging in one dialog you selec...

Page 183: ...nd the right side of the dialog to move vertically and horizontally You can also click and hold while moving the pointer within dialog that brings up a directional arrow that you can use to move left...

Page 184: ...s for each layer are shown in a different background color Figure 4 104 Packet Layers Shown in Different Colors If you right click within the Ctrl Summary you can select Show in MSC Figure 4 105 Right...

Page 185: ...nd Time l Hide both Frame and Time 4 3 5 1 Message Sequence Chart Toolbar Figure 4 108 Message Sequence Chart Toolbar Tool Keyboard Description Ctrl H Zoom in horizontal expands the chart horizontal v...

Page 186: ...e other state Ctrl W Print display preview Ctrl P Print the display Ctrl C Cancel an in process print Table 4 14 Message Sequence Chart Tools continued 4 3 5 2 Message Sequence Chart Search The Messag...

Page 187: ...instance of the search value you see this following dialog Once you have set the search value you can 1 use the Search Previous and Search Next buttons or 2 F2 and F4 to move to the next or previous...

Page 188: ...ayer then OK the first error for that layer will be displayed If no error is found a dialog will announce that event 4 3 5 5 Message Sequence Chart Printing There are three standard MSC print buttons...

Page 189: ...utput the data that is currently being displayed Cancel Printing Cancels the current printing Zoom In Horizontially Expands the data horizontally so it can be easier to read Zoom Out Horizontally Sque...

Page 190: ...rrors occur careful analysis of the statistics indicate whether the two devices under test are experiencing trouble communicating or the packet sniffer is having difficulty listening Generally if the...

Page 191: ...ow energy PER Stats Window 4 4 1 Packet Error Rate Channels Classic and low energy The main portion of the PER Stats dialog displays the 79 individual channels 0 78 for Classic Bluetooth 40 individual...

Page 192: ...assic Bluetooth Each channel contains a bar that displays the number of packets with no errors in green packets with Header Errors in red packets with Payload or CRC errors in dark red and Retransmitt...

Page 193: ...anges the size of the entire dialog l c changes the contrast of the dialog l The Reset button is only available in live mode The button will appear in the lower right hand corner of the Channels secti...

Page 194: ...gend The Legend displays color coded information about the channel selected Classic Bluetooth Bluetooth low energy For Classic Bluetooth l The number of Packets with No Errors and percentage of packet...

Page 195: ...ifferent values When the Snap Arrow is orange the values for channels in the main chart are shown in relative terms in Snap Mode This means that one channel or channels with the greatest value is snap...

Page 196: ...Bar displays stats for all packets divided into equal time intervals Figure 4 117 PER Stats Scroll Bar l Captured data begins to appear on the left and fills the width of the bar left to right l The v...

Page 197: ...de that bar l The Home key moves the Viewport to the left edge l The End key moves the Viewport to the right edge l Pressing the left arrow button the left arrow key or the up arrow key moves the View...

Page 198: ...mbers are excluded because the graphs are channel specific Before packets are captured the Scroll Bar in Classic Bluetooth PER Stats contains the message ID packets and packets without a channel numbe...

Page 199: ...ost events suggests the best starting point The expert system works in conjunction with Frontline software that is operating in live capture mode or in capture file viewer mode Selecting an event in t...

Page 200: ...able Bit Rate and Specified Bit rate Audio Analysis not supported Although user will be able to play back the audio live Supported Parameters for aptX l Object Types aptX classic aptX LL both content...

Page 201: ...he system can perform without reporting too many false positive results l Volume Level Low Volume or High Volume Reported if the average volume level is not in a range conducive to performing meaningf...

Page 202: ...ample Files delivered with your latest Frontline software version may have changed Contact Frontline Technical Support for information on the latest reference file versions The test files have a set o...

Page 203: ...ng for comparison to the sniffed Reference Audio parameters of frequency amplitude duration etc Below is a sample script table and the resulting sample Reference Audio wav file The generated wav file...

Page 204: ...d with the Frontline software on the Source device Then connect the Bluetooth enabled devices and play the music file from one device to the other The software will automatically detect the mode and p...

Page 205: ...dio Expert Test Files Note Reference test files are periodically updated Shown here is an example Files delivered with your latest Frontline software version may have changed Contact Teledyne LeCroy T...

Page 206: ...age above is a graphic of the overall envelope of the Reference Audio test file Test_1 02_ 44 1kHz_16Bit wav Test 1 02 is a test file that enables a wide range of tests that includes a number amplitud...

Page 207: ...ively which are 100 ms in duration and are separated by 1 kHz digit delimiters of 50 ms duration The final tone is a 100 ms segment at 400 Hz defined as a Test ID Terminator Note that since the levels...

Page 208: ...for active A2DP Streaming interval A2DP Error Bitpool value does not match configured bitpool range A2DP Error Attempt to suspend inactive stream A2DP Error Configuration attempt using unsupported CO...

Page 209: ...ion SBC Error Incorrect Configuration Detected SBC Codec detected a change in audio parameters SBC Error Lost Sync SBC Codec expected to find synch word 0x9C instead found 0x typically due to corrupte...

Page 210: ...initialized due to a setting change AAC Error Unframed stream error A frame error was detected for an unframed stream The codec is being reset in order to continue processing AAC Error Transport not...

Page 211: ...Warn the user that the volume level of the detected audio is above the best range for performing meaningful audio analysis i e above a level where the audio will likely become distorted Alarm is activ...

Page 212: ...ation Lost Generated when after a successful TestID recognition the system encounters unexpected frequencies or durations of audio segments while analyzing a received Reference Audio file If this situ...

Page 213: ...equency arrives either before or after that programmed duration then the change is by definition unexpected This type of audio impairment can be caused by lost or corrupted data repeated data faulty p...

Page 214: ...cess Noise event is reported when energy sufficiently above the Silence Threshold is detected during programmed segments of silence Excess noise can indicate a poor analog audio chain with an inherent...

Page 215: ...nt Consecutive Samples Sample Rate Samples sec Resolution bits 3 8000 16 5 16000 16 11 41000 16 2 64000 16 12 48000 16 24 96000 16 Table 4 25 Clipping Event Thresholds Consecutive Samples Sample Rate...

Page 216: ...This window is the working space for the Audio Expert System Upon opening Audio Expert System the window shown below will open with four main areas displayed l Global Toolbar Provides play cursor cont...

Page 217: ...olbar Wave Panel Event Timeline and Event Table in more detail 4 5 5 1 Global Toolbar Click here to see an introduction video The global toolbar provides audio play controls audio play cursor position...

Page 218: ...e the Global Toolbar Mute for that panel only Volume Down Decreases the audio playback volume of all Wave Panels based on the current volume level setting for each individual Wave Panel Volume Down De...

Page 219: ...o events synchronized to the captured waveform Figure 4 124 Wave Panel The Wave Panel contains four sections 1 Audio Stream Info that provides users with information such as sample rate bit sample cod...

Page 220: ...or stereophonic Bits Sample Displays the number of bits per sample of the audio data Bluetooth DUT1 Bluetooth address of one device in the connection Can be either sending or receiving the audio data...

Page 221: ...t System Global Toolbar The Wave Panel mute is a local control only However the Global Toolbar mute control will set the Stream Panel s Local Controls mute Vertical Zoom Each Wave Panel contains local...

Page 222: ...edge of the Wave Panel The waveform s amplitude can be linear or in decibels The linear range is 1 0 to 1 0 The range for the dB scale is 0 dB for the maximum positive and maximum negative values and...

Page 223: ...egment of interest click and hold then drag over the waveform segment of interest Release the mouse key The selection is surrounded by a blue border Table 4 31 Segment Selection Procedures For either...

Page 224: ...Bluetooth Codec and Audio events related to the waveform being viewed The events are synchronized in time to the waveform displayed in the Wave Panel The event severity is displayed as Information Wa...

Page 225: ...on video The Event Table lists all audio stream events Clicking on an event will select that event in the Event Timeline in the Wave Panel If the selected event is outside the visible area of the wave...

Page 226: ...n may be appropriate Error identifies a definite problem Stream Id integer A system generated ID that is assigned in the order that the audio streams are detected The ID is not maintained between capt...

Page 227: ...heck the box will prevent the Event Table from scrolling during live capture Un checking the box will resume scrolling of events as they are detected When analyzing a capture file the checkbox has no...

Page 228: ...lect all the data between and fills pauses or gaps Select All Selects the entire waveform Table 4 33 Wave Panel Pop up Menu Selections continued Event Table Pop up Menu Actions Right clicking in the E...

Page 229: ...eld in the Export Audio Data window Should the file name need to be changed click on the Select button and the Windows Save As dialog will open By default the wav file extension is used in the file na...

Page 230: ...soft Excel or any other Windows csv compatible application First select the events to export Multiple events are selectable by selecting an event then holding the Shift key while clicking on another e...

Page 231: ...or Rate Statistics PER Stats Protocol error events appearing in the Protocol Events pane identify the related Bluetooth specification reference that is likely to point to a solution to the error The e...

Page 232: ...tem by clicking on the Control window button the window shown below will open with four main areas displayed described in the table below Detailed explanations of each window section follow Section De...

Page 233: ...Figure 4 138 Bluetooth Protocol Expert System Window TELEDYNE LECROY Chapter 4 Capturing and Analyzing Data 225 Frontline BPA 600 Hardware Software User Manual...

Page 234: ...with an arrow symbol will expand to show the connected device and the link layer logical transport type 4 6 2 2 Expert System Statistics Pane The Statistics pane contains detailed information about t...

Page 235: ...ed identifier for ACL connections Source CID Channel Identifier for the source device Destination CID Channel Identifier for the destination device Extra Features Mode Transmit MTU Maximum Transmissio...

Page 236: ...law law transparent Handle Active Error Count Device This tab serves the purpose of assigning a unique expert system identification to the devices listed in the Connections pane Id System assigned ide...

Page 237: ...that applies to the Event Text content Time Event timestamp Table 4 38 Protocol Events Pane Fields Any column in the Protocol Events list can be sorted in ascending or descending order Refer to Exper...

Page 238: ...oint on the scroll pane where the mouse was last positioned Top Botton Scrolls the table to thefirst row top or to the last row bottom Page Up Down Up moves the current view bottom row to the top row...

Page 239: ...tive to the selected column sort Refer to the following Statistics pane images for an example Figure 4 141 Sorting Id Ascending Figure 4 142 Sorting Air Mode Ascending Note Id Sort Figure 4 143 Sortin...

Page 240: ...t When capturing data live the analyzer continually updates the Event Display as data is captured Make sure the Lock icon is displayed on the toolbar to prevent the display from updating Clicking on t...

Page 241: ...ange the algorithm and seed value used to calculate CRCs To calculate a CRC select a byte range and the CRC appears in the status lines at the bottom of the Event Display Mixed Sides Serial data only...

Page 242: ...g CRCs or FCSs The cyclic redundancy check CRC is a function on the Event Display window used to produce a checksum The frame check sequence FCS are the extra checksum characters added to a frame to d...

Page 243: ...function is independent on each window This means that you can have two Event Display windows open simultaneously and one window can be locked while the other continues to update 4 7 7 Data Formats an...

Page 244: ...ht click on the data display header labels and choose a different radix Figure 4 147 Header labels right click 2 Or right click anywhere in the data display and select a different radix Figure 4 148 D...

Page 245: ...k mark is displayed Click on Display Sides Together to remove the check mark and return to side by side display 4 Right click in the sides panel on the right of the data display and select Display Sid...

Page 246: ...me inactive i e caused the analyzer to transmit data Events which deactivate flow control are signal changes or the receipt of an XOFF character Frame Recognizer Change A lowest layer protocol was sel...

Page 247: ...e font size on any other window To change the font size 1 Click on Event Display menu Options and select Change the Font Size Figure 4 149 Event Display Options menu 2 Choose a font size from the list...

Page 248: ...adio button to write the streams as Two Mono Files or as One Stereo File Note This option is for SCO eSCO only 5 Select the checkbox if you want to convert A Law and law to Linear PCM CVSD are always...

Page 249: ...nd Audio Extraction Status dialogs appear When the process is complete the dialogs display what files have been created and where they are located Figure 4 152 Data and Audio Extraction Status If you...

Page 250: ...traction Status Then you can rename the file adding a file type to attempt to open the file When you are finished select Close to close the dialogs Chapter 4 Capturing and Analyzing Data TELEDYNE LECR...

Page 251: ...coding data within the ComProbe analyzer produces a wealth of information for analysis This mass of information by itself however is just that a mass of information There has to be ways to manage the...

Page 252: ...a string search on the data in the Decode Pane of the Frame Display window To access the search within decodes function 1 Open a capture file to search 2 Open the Event Display or Frame Display windo...

Page 253: ...search 3 When you have specified the time interval you want to use click on the Find Next or Find Previous buttons to start the search from the current event The result of the search is displayed in...

Page 254: ...ly searches the DTE side first followed by the DCE side Note Side Restriction is available for pattern and error searching 1 Select one of the two options 2 Select DTE DCE or both 3 When you made your...

Page 255: ...pattern 2 Check Ignore Case to do a case insensitive search 3 When you have specified the pattern you want to use click on the Find Next or Find Previous buttons to start the search from the current...

Page 256: ...nd time specified If no event is found at that time the analyzer goes to the nearest event either before or after the selected time based on the Go to the timestamp selection l Relative A relative sea...

Page 257: ...d time 2 When you have specified the time interval you want to use click on the Go To Move Forward or Move Backward buttons to start the search from the current event When you select Absolute as Searc...

Page 258: ...radio button 2 Type the number of the event in the box 3 Click the Go To button 4 To move forward or backwards through the data type in the number of events that you want to move each time 5 Then clic...

Page 259: ...ial Events tab of the Find dialog Note The tabs displayed on the Find dialog depend on the product you are running and the content of the capture file you are viewing Figure 5 8 Find Special Events ta...

Page 260: ...Event Display or Frame Display window 3 Click on the Find icon or choose Find from the Edit menu 4 Click on the Signal tab of the Find dialog Note The tabs displayed on the Find dialog depend on the p...

Page 261: ...and see if any one of those signals changed state at any time o If you want to look at just one control signal n Check the box for the signal n Uncheck all the other boxes n Choose to search for an e...

Page 262: ...one of the four radio buttons to choose the condition that must be met in the search o Select one or more of the checkboxes for Pin 1 2 3 or 4 o Click Find Next to locate the next occurrence of the s...

Page 263: ...Figure 5 10 Find Error tab Chapter 5 Navigating and Searching the Data TELEDYNE LECROY Frontline BPA 600 Hardware Software User Manual 255...

Page 264: ...search for an event where one or more error conditions were off and choose to search only for framing The analyzer searches the file and finds the point at which framing errors stopped occurring Searc...

Page 265: ...ut it really doesn t matter if they did or not choose overrun to be On and set the others to Don t Care The analyzer ignores any other type of error and find events where overrun errors occurred To fi...

Page 266: ...ing Where the Search Lands When doing a search in the analyzer the byte or bytes matching the search criteria are highlighted in the Event Display The first selected byte appears on the third line of...

Page 267: ...ailable to you Once you have created a bookmark you can use the Find function or other navigation methods to locate and move among them 5 2 1 Adding Modifying or Deleting a Bookmark You can add modify...

Page 268: ...he Frame Display and Event Display b Select the Add or Modify Bookmark icon on one of the toolbars or c Right click on the frame event and choosing Modify Bookmark on the selection 3 Click on the Dele...

Page 269: ...o delete a bookmark select it and click the Delete button To modify a bookmark select it and click the Modify button Click Remove All to delete all the bookmarks Chapter 5 Navigating and Searching the...

Page 270: ...ge edit box on the Notes window The Cut Copy Paste features are supported from Edit menu and the toolbar when text is selected Undo and Redo features are all supported from Edit menu and the toolbar a...

Page 271: ...ure File or click on the Open icon on the toolbar 2 Left of the File name text box select from the drop down list Supported File Types box to All Importable File Types or All Supported File Types cfa...

Page 272: ...exported is 1000 frames When Print Preview is selected the output displays in a browser print preview window where the user can select from the standard print options The output file format is in htm...

Page 273: ...ints up to 1000 frames from the buffer Choosing Selection prints only the frames you select in the Frame Display window 6 Selecting the Delete File deletes the temporary html file that was used during...

Page 274: ...lect from the standard print options The output file format is in html and uses the Microsoft Web Browser Control print options for background colors and images see below Print Background Colors Using...

Page 275: ...nnot select All if there are more than 100 000 events in the capture buffer Note See Configure the Print File Range in the Event Display Print Dialog above for an explanation of these selections Figur...

Page 276: ...ay the Windows Save As dialog and navigate to the desired storage location 3 Select a file type from the Save as type drop down List Menu on the Event Display Export dialog Select from among the follo...

Page 277: ...Row but this method contains no timestamps If you select One Event Per Row you can display timestamps multiple events or single events per row Note The raw timestamp value is the number of 100 nanosec...

Page 278: ...uld contain only the DCE data You can also filter out Special Events which is everything that is not a data byte such as control signal changes and Set I O events Non printable characters or both If y...

Page 279: ...stem Settings from the Options menu on the Control window To enable a setting click in the box next to the setting to place a checkmark in the box To disable a setting click in the box to remove the c...

Page 280: ...s the file when it becomes full The oldest events are moved out of the file to make room for new events Any events moved out of the file are lost When disabled the analyzer stops capture when the file...

Page 281: ...ct fundamental aspects of the software and it is unlikely that you ever have to change them If you do change them and need to return them to their original values the default value is listed in parent...

Page 282: ...pturing immediately This is the default setting The analyzer begins monitoring data but does not begin capturing data until clicking the Start Capture icon on the Control Event Display or Frame Displa...

Page 283: ...to a new location Figure 7 5 File Locations Browse dialog 5 Click OK 6 Click OK when finished If a user sets the My Decoders directory such that it is up directory from an installation path multiple i...

Page 284: ...ario however Let s say you have selected Use Last Opened Folder for Capture Files and opened a file from a location other than the default directory All subsequent capture files will be saved to that...

Page 285: ...ss of precise recording in time of packet arrival Timestamps is an optional parameter in the Frame Display and Event Display that can assist in troubleshooting a network link 7 1 4 1 Timestamping Opti...

Page 286: ...n the capture file because more bits are required to store the timestamp Also more timestamps need to be stored than at normal resolutions The second issue is that using high resolution timestamping m...

Page 287: ...ions section at the bottom of the window and find the Number of Digits to Display box 3 Click on the arrows to change the number You can display between 0 and 6 digits to the right of the decimal poin...

Page 288: ...le the window is being updated Some windows require more processing time than others because the information being displayed in them is constantly changing Refrain from displaying data live in the Eve...

Page 289: ...the RFC1761 snoop version 2 format Datalink Type Code Reserved 0 1000 Un encapsulated HCI H1 1001 HCI UART H4 1002 HCI BSCP 1003 HCI Serial H5 1004 Unassigned 1005 4294967295 Table 7 1 Datalink Codes...

Page 290: ...ackets may be lost because of insufficient resources in the capturing system or for other reasons Note some implementations lack the ability to count dropped packets Those implementations may set the...

Page 291: ...bar remain visible while others are hidden The title on the progress bar indicates the process underway 7 2 5 Event Numbering This section provides information about how events are numbered when they...

Page 292: ...o character system abbreviation for each one Some abbreviations have forward slash characters between the two letters This is to differentiate the abbreviations for a control character from a hex numb...

Page 293: ...ne Feed NK NAK Negative Acknowledge NU NUL Null RS RS Record Separator SI SI Shift In SO SO Shift Out SH SOH Start of Heading SX STX Start of Text SB SUB Substitute SY SYN Synchronous Idle US US Unit...

Page 294: ...our own decoders A quick note here Usually the pasted code appears the same as the original in your editor Some editors however change the appearance of the text when it is pasted something to do with...

Page 295: ...A is defined the software will ignore A1 A2 and so on Contacting Frontline Technical Support Technical support is available in several ways The online help system provides answers to many user related...

Page 296: ...TELEDYNE LECROY Chapter 7 General Information 288 Frontline BPA 600 Hardware Software User Manual...

Page 297: ...Appendicies Appendix A Application Notes 290 Frontline BPA 600 Hardware Software User Manual 289...

Page 298: ...ink Key for Classic Decryption 297 A 3 Decrypting Encrypted Bluetooth data with ComProbe BPA 600 303 A 4 Decrypting Encrypted Bluetooth low energy 311 A 5 Bluetooth low energy Security 321 A 6 Bluetoo...

Page 299: ...devices support aptX it is used rather than the default SBC The AES software helps identify audio issues in Bluetooth protocol by highlighting information warnings and errors related to audio data co...

Page 300: ...uetooth connection suitable for transmitting the audio When the Reference Audio was played there were no obvious audio distortions or anomalies heard by the tester The tester used a ComProbe BPA 600 c...

Page 301: ...ails of the GET_CAPABILITIES command are shown in the Figure 3 Figure 3 Frame Display for AVDTP Signaling Frame 2116 At frame 2119 the remote device responds to the GET_CAPABILITIES for SEPID 5 report...

Page 302: ...es 2185 and 2190 are the local request and the remote response to OPEN the audio stream Frames 2823 and 2833 START the audio stream with the local request and the remote response respectively Figure 5...

Page 303: ...ent at Frame 2839 states Unable to process AptX data as extracted It appears that SBC encoded data is being sent over this stream Figure 7 Audio Expert System Error on Frame 2839 Data not aptX A 1 4 C...

Page 304: ...TELEDYNE LECROY Appendicies 296 Frontline BPA 600 Hardware Software User Manual...

Page 305: ...face log that contains the link keys for all active links A 2 1 What You Need to Get the Android Link Key The process applies to the Android 4 4 or later operating system l Android device with Bluetoo...

Page 306: ...n retrieve the HCI log 1 On the Android device go to Settings 2 Select Developer options 3 Click to enable Bluetooth HCI snoop logging 4 Return to the Settings screen and select Developer options 5 In...

Page 307: ...following command adb devices 4 Your Android device should show up in this list confirming that ADB is working List of devices attached XXXXXXXXXXX device 5 In the terminal enter the following comman...

Page 308: ...ng in Decode Check the Ignore Case option Click on Find Next until the Event column shows Link Key Notification Figure 10 Find Dialog In the Frame Display Detail pane expand HCI and HCI Event where th...

Page 309: ...Display Showing Link Key Notification Event with the Link Key Author John Trinkle with Joe Skupniewitz Publish Date 30 September 2014 Appendicies TELEDYNE LECROY Frontline BPA 600 Hardware Software U...

Page 310: ...TELEDYNE LECROY Appendicies 302 Frontline BPA 600 Hardware Software User Manual...

Page 311: ...it must also have this shared link key For obvious security reasons the link key is never sent over the air so either the user must get the key out of one of the devices being sniffed and supply the...

Page 312: ...er the start encryption request in frame 261 In order for the ComProbe software to decrypt an encrypted Bluetooth conversation the ComProbe software must compute the same link key being used by the de...

Page 313: ...of your devices generally by accessing the HCI on one of the devices If that is the case enter the link key into the box provided Note that the link key is sometimes stored in your device in reverse...

Page 314: ...grayed out Click on the toolbar Start Sniffing button The Control window will display a capture status message When you start sniffing the colored arrow be red indicating that the Bluetooth devices ar...

Page 315: ...ge sent from both the master and the slave The message from the device that is in debug mode will show the debug key the other will show the public key Refer to the Frame Display Decode pane in the sc...

Page 316: ...Figure 14 Encapsulated Payload Message from a Bluetooth Device NOT in SSP Debug Mode TELEDYNE LECROY Appendicies 308 Frontline BPA 600 Hardware Software User Manual...

Page 317: ...Author Sean Clinchy Publish Date February 2014 Appendicies TELEDYNE LECROY Frontline BPA 600 Hardware Software User Manual 309...

Page 318: ...TELEDYNE LECROY Appendicies 310 Frontline BPA 600 Hardware Software User Manual...

Page 319: ...hase is to generate the Short Term Key STK used in the third phase to secure key distribution The devices agree on a Temporary Key TK that along with some random numbers creates the STK 3 In this phas...

Page 320: ...A new EDIV is generated each time a new LTK is distributed 5 Random Number RAND 64 bit stored value used to identify the LTK A new RAND is generated each time a unique LTK is distributed Of particular...

Page 321: ...alculate and verify Sconfirm A 4 4 Encrypting the Link The Short Term Key STK is used for encrypting the link the first time the two devices pair STK remains in each device on the link and is not tran...

Page 322: ...ill transmit unencrypted LL_START_ENC_REQ but sets the slave to receive encrypted data using the recently calculated SK The master responds with encrypted LL_START_ENC_RSP that uses the same SK just c...

Page 323: ...layed or entered during device pairing The code is what is used to generate the LTK Under LE Encryption enter the code in the Enter New PIN OOB data text box b Just Works is more of a challenge becaus...

Page 324: ...rame 35 545 would provide the response from the responder Side 2 and would contain similar information Selecting Frame 39 591 will display the Pairing Confirm from the initiator Side 1 in the Decoder...

Page 325: ...e ComProbe sniffing device can also receive and decrypt the encrypted data because the appropriate key is provided in the BPA 600 Datasource window Figure 26 LE LL Tab Encryption Request Frame 39 617...

Page 326: ...this point the session link is encrypted Figure 28 MSC link Layer Encryption BPA 600 low energy capture A 4 7 4 Viewing Decrypted Data In the ComProbe software Frame Display click on the LE BB tab Sea...

Page 327: ...Figure 29 Decrypted Data Example Frame 39 723 Author John Trinkle Publish Date 9 April 2014 Revised 23 May 2014 Appendicies TELEDYNE LECROY Frontline BPA 600 Hardware Software User Manual 319...

Page 328: ...TELEDYNE LECROY Appendicies 320 Frontline BPA 600 Hardware Software User Manual...

Page 329: ...elescopes for viewing the other stations in the link and clocks were used to synchronize the stations By 1803 a communications network extended from Paris across the countryside and into Belgium and I...

Page 330: ...is the means to make the data unintelligible to all but the Bluetooth master and slave devices forming a link Eavesdropping attacks are directed on the over the air transmissions between the Bluetoot...

Page 331: ...ey used to generate the session key for an encrypted connection 4 Encrypted Diversifier EDIV 16 bit stored value used to identify the LTK A new EDIV is generated each time a new LTK is distributed 5 R...

Page 332: ...alculate and verify Sconfirm A 5 4 Encrypting the Link The Short Term Key STK is used for encrypting the link the first time the two devices pair STK remains in each device on the link and is not tran...

Page 333: ...ave the same IRK and generate the same random number is low but not absolute IRK and Bluetooth low energy Privacy Feature Bluetooth low energy has a feature that reduces the ability of an attacker to...

Page 334: ...the middle Mrand 128 bit random number used to generate Mconfirm OOB Out of Band RAND Random Number Sconfirm 128 bit confirmation value from the responder SK Session key SMP Security Manager Protocol...

Page 335: ...tooth mobile phone makers l Virtual sniffing and you Where to go for more information A 6 2 Why HCI Sniffing and Virtual Sniffing are Useful Because the Bluetooth protocol stack is very complex a Blue...

Page 336: ...test In response to these requests Frontline developed SerialBlue the world s first commercially available serial HCI analyzer The response to SerialBlue was very positive When we asked our Bluetooth...

Page 337: ...Live Import Any application can feed data into ComProbe software using Live Import A simple API provides four basic functions and a few other more advanced functions The four basic Live Import functio...

Page 338: ...c is fully decoded and the debug messages are decoded as well The decoder for the debug messages was written using ComProbe software s DecoderScript feature DecoderScript allows ComProbe software user...

Page 339: ...Author Eric Kaplan Publish Date May 2003 Revised December 2013 Appendicies TELEDYNE LECROY Frontline BPA 600 Hardware Software User Manual 331...

Page 340: ......

Page 341: ...ame synchronization 222 operating mode referenced 193 198 test file 194 Wave Panel 211 viewer 214 Auto Sizing Column Widths 90 Automatically Request Missing Decoding Information 74 Automatically Resta...

Page 342: ...t File Locations 274 Character 247 284 Character Pane 93 Character Set 237 283 284 Choosing a Data Capture Method 5 Clear Capture Buffer 271 CN 285 Coexistence View 143 Audio Expert System 223 le Devi...

Page 343: ...ug Mode 25 32 Decimal 236 Decode Pane 92 decoder 286 Decoder Parameters 40 DecoderScript 286 Decodes 40 71 75 81 92 244 decrypt 90 decryption status 90 Default File Locations 274 Delete a Template 43...

Page 344: ...46 248 249 251 254 Find Bookmarks 257 Find Introduction 243 Font Size 239 Frame Display 75 78 81 82 84 85 90 95 Audio Expert System 223 Frame Display Change Text Highlight Color 94 Frame Display Find...

Page 345: ...Find and Go To 178 Message Sequence Chart Go To 179 Minimizing 15 Missing Bluetooth Clock 126 Missing Decode Information 46 51 Mixed Channel Sides 237 Mixed Sides Mode 237 Modem Lead Names 276 Modify...

Page 346: ...rame 73 Reframing 73 Relative Time 248 278 Remove Bookmarks 259 260 Columns 91 Custom Stack 71 Filters 100 101 Framing Markers 73 Reset Panes 85 Resolution 278 Resumed 238 Revealing Protocol Layers 81...

Page 347: ...ing 238 Throughput Displays Throughput_Displays 121 Throughput Graph 123 Timestamp 258 278 Timestamping 258 277 278 Timestamping Disabled 239 Timestamping Enabled 239 Timestamping Options 271 277 Time...

Page 348: ...340 Frontline BPA 600 Hardware Software User Manual Appendicies...

Reviews:

No comments