I am reading data from a device through the serial port. I am using a Max3232 converter RS232 to TTL. The odd thing here is that when I use the read function to retrieve the data received by the UART, it eliminates all the 0x00 bytes.
I have used the same converter to read data from the same device using both Arduino Mega and Raspberry PI 3 B+. With both I can read the 0x00 values.
Reading with Arduino and Raspberry
f7 00 00 15 10 22 00 02 28 02 00 00
f2 16 06 00 00 00 00 67 63 02 45 43
Same readings with Azure Sphere
f7 15 10 22 02 28 02
f2 16 06 67 63 02 45 43
Am I missing some setting?
Related
I have a packet that I have manually created for a SYN/ACK but I get no reply from the server.
This is all wireless/GSM stuff so I cannot use a sniffer.
I have calculated the TCP and the IP header checksums manually a few times and they seem correct but I really need a 3rd party method to be sure.
I had several endian issues but I think I have it right now. But who knows...
I only found an online parser but it does not test/verify the checksums.
Does anyone have an easy idea for me?
Just in case someone has suitable access to a test method, and feels like pasting it in for me, here is the packet:
45 10 00 3C 00 02 00 00 64 06 E8 1F 0A AA 61 43 51 8A B1 13
01 BB 01 BB 00 00 00 0A 00 00 00 00 50 02 00 00 3D D8 00 00
Regards
berntd
I've creating a pcap from your hex data using Net::PcapWriter:
use strict;
use warnings;
use Net::PcapWriter;
my $w = Net::PcapWriter->new('test.pcap');
my $ip = pack('H*','4510003C000200006406E81F0AAA6143518AB11301BB01BB0000000A00000000500200003DD80000');
$w->packet($w->layer2prefix('1.1.1.1').$ip);
Loading it into Wireshark shows both the IP checksum and the TCP checksum as correct, so it is probably not a problem of the checksum calculation.
But tcpdump says that the length is wrong:
IP truncated-ip - 20 bytes missing! 10.170.97.67.443 > 81.138.177.19.443: Flags [S], seq 10:30, win 0, length 20
This is because you've set the total length in the IP header to 60 bytes (00 3C) but the IP header + TCP header is only 40 bytes in total and your packet does not have any payload, i.e. the total length should be 40 and not 60 bytes.
Here is what I came up with to do it the manual way:
Put packet into a text file like so:
45 10 00 3C 00 02 00 00 64 06 E8 1F 0A AA 61 43 51 8A B1 13
01 BB 01 BB 00 00 00 0A 00 00 00 00 50 02 00 00 3D D8 00 00
add addressing offsets and group into 16 byte lines as in a hex dump:
000000 45 10 00 3C 00 02 00 00 64 06 E8 1F 0A AA 61 43
000010 51 8A B1 13 01 BB 01 BB 00 00 00 0A 00 00 00 00
000020 50 02 00 00 3D D8 00 00
Save it (source).
Now run ext2pcap.exe -e 0x800 source dest
The dest file can now be imported as a PCAP file into wireshark for decoding.
Multiple packets can be converted byt starting the address offset for each new packet at 000000 again in the source file.
text2pcap.exe seems to come with wireshark.
Tedious but works.
Cheers
Hello Every one
I'm currently working on a project that takes data from patients monitors and send them to another system that we built (Not the central station -which display all monitors- which is already working but it is closed source.).
The monitor is supplied with an Ethernet card and it sends data over the UDP protocol. But when we need to read real data which is in the application layer we understand nothing.
Here is a small frame we get from the traffic when the monitor talks to the central station.
0000 ff ff ff ff ff ff 66 76 84 00 18 73 08 00 45 00
0010 00 2e 00 00 40 00 40 11 7a 03 c0 a8 00 14 ff ff
0020 ff ff a4 10 1f 42 00 1a 04 45 ff d0 00 02 00 fe
0030 00 0a 32 01 02 03 04 05 0b 32 33 50
When I but it on wireshark it analyze until the UDP protocol and stop, it doesn't understand the application layer data.
Here is a sample application layer data.
ff d0 00 02 00 fe 00 0a 32 01 02 03 04 05 0b 32 33 50
Another one:
ff da 7f f1 00 04 00 0c 02 18 0d 0f 60 0c 04 0b 0b 10 00 00
Are there any standard protocols that used in medical field to transport data like ECG, respiration, etc.? And is there a protocol that is compatible with the form above?
Please stop there!
Get the specification or documentation from the vendor and do not reverse engineer the protocol. If you are unable to do so, leave this thing alone.
If you get it wrong you are endangering patients. Doctor may rely on your information which you are guessing as it seems.
Even if it something well documented like HL7 oder DICOM read the documentation and talk with the vendor.
Depending on jurisdiction there may be a myriad of legal problems ahead.
It may be transmitting in HL7
http://www.hl7.org/index.cfm
I have a device who connect the home thermostat to internet with wifi.
This device send information about home temperature to producer and using their app I can see this information on the smartphone.
I want to have this information directly without by interrogation on device.
I find with nmap it use 4097 udp port. Now I want to sniff the packet it send or receive to understand what type of command can I use.
What is the best way to do it?
I'm thinking to use my ubuntu has wifi router, conncet the device to it and sniff traffic. It is possibile??
Thanks
---UPDATE----
I do it with arpspoffing, and now I'm able to capture udp packes send from the thermostat with wireshark. But this packet data are not human readable... How can I understand this data?
This is the data I sniff:
0000 70 71 bc 6e 64 2e fc e8 92 2d cf 3c 08 00 45 00
0010 00 47 01 f5 00 00 ff 11 93 2f c0 a8 01 02 b0 38
0020 b4 9e 10 01 07 dc 00 33 c7 71 02 01 c2 01 fe e8
0030 92 2d cf 3c ac b4 05 00 00 00 14 00 8a 01 fc e8
0040 92 00 11 6d 58 41 06 00 2d 01 00 03 b7 06 00 01
0050 08 07 11 00 8a
pqnd.-<EG83o-<mXA-
Thank you
Create a new monitoring interface with
iw phy phy0 interface add wlan0mon type monitor
Activate the interface
ifconfig wlan0mon up
Monitor the interface with a packet capture utility
tshark -i wlan0mon
Filter the capture to your thermostat device only
tshark -i wlan0mon -Y eth.addr==<FOUND SOURCE>
Full packet details is obtained by adding -V flag.
Other tools proposal
airmon-ng start wlan0 to start the monitor mode
netsniff-ng, tcpdump, wireshark, ngrep for capture
I need to sort out something about the IPv4 header. For example the following frame with an Ethernet-II frame with an IPv4 packet starting at the fifteenth byte.
0000: 08 00 20 7c 94 1c 00 00 - 39 51 90 37 08 00 45 00
0010: 00 3e 36 00 00 00 80 11 - da 4f 82 eb 12 7f 82 eb
0020: 12 0a 04 01 00 35 00 2a - ee 6a 00 01 01 00 00 01
0030: 00 00 00 00 00 00 06 67 - 65 6d 69 6e 69 03 6c 64
0040: 63 02 6c 75 02 73 65 00 - 00 01 00 01
I need to sort somethings out:
What does the 0000 & 0010 & 0020 & 0030 on the left stands for?
I just cant sort it out is 1 pair for example the first one 08 two bits or?
And if the IPv4 starts at fifteenth byte(1 byte = 8 bits) where does it start then, have problems to understand this because i dont get number 2.
Thank you for your time.
”45” in your first line of hexdump is the 1st byte of the ip header (15th byte of the ethernet frame). Each line is 16 bytes.
Also, in the beginning of each line has an offset like e.g. ”0010: ” (in hex) means the starting offset from the start of the whole dump.
Your first line would be, (total 16 bytes),
dmac(6)+smac(6)+etype(2)+ first2byte_of_ip(2)
and your first byte of ip is hex ”45”, you can lookup the detail ip header field in wikipedia.
It would be nice if you can read wireshark user's guide on your own. Anyway, to answer your question,
1) What does the 0000 & 0010 & 0020 & 0030 on the left stands for?
It stands for hexdump offset. You can refer to this page.
2) I just cant sort it out is 1 pair for example the first one 08 two bits or?
It is (part of ) destination MAC address. Entire MAC address should be 08 00 20 7c 94 1c.
3) since Q2 is now answered, this should not be problem for you.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Intro: I'm coming to this problem without full familiarity with the Bluetooth stack and protocols, so this may require several rounds of editing as errors in my assumptions are revealed.
I'm attempting to connect to a Bluetooth device, a Scosche myTREK Pulse Monitor. I was able to connect to the device using the 'official' app for Android, and I captured the Bluetooth packet output using hcidump. I can read and understand the connection process up through the link key exchange; however, the device then sends an HCI Encrypt Change event, after which most (but not all) packets are labeled as ACL packets, and are difficult to interpret.
The basic question is: Does Bluetooth encrypt data, and is there a way to decrypt it securely? Is this related to the shift to ACL packets?
Here is a sample of the packet output provided by hcidump for a given connection, starting at the passing of the Link Key. ( > refers to the monitor sending data )
> HCI Event: Link Key Request (0x17) plen 6
0000: ** ** ** ** ** ** ??????
< HCI Command: Link Key Request Reply (0x01|0x000b) plen 22
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ???????????????
0010: ** ** ** ** ** ** ??????
> HCI Event: Command Complete (0x0e) plen 10
0000: 01 0b 04 00 ** ** ** ** ** ** ....??????
> HCI Event: Encrypt Change (0x08) plen 4
0000: 00 0c 00 01 ....
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 02 08 00 40 00 40 00 01 00 00 00 ........#.#.....
< ACL data: handle 12 flags 0x00 dlen 10
0000: 06 00 01 00 0a 01 02 00 02 00 ..........
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Info rsp: type 2 result 0
Extended feature mask 0x0000
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 02 08 00 40 00 40 00 00 00 00 00 ........#.#.....
< ACL data: handle 12 flags 0x00 dlen 12
0000: 08 00 01 00 04 02 04 00 40 00 00 00 ........#...
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4
MTU 48
< ACL data: handle 12 flags 0x00 dlen 18
0000: 0e 00 01 00 05 03 0a 00 40 00 00 00 00 00 01 02 ........#.......
0010: 30 00 0.
> ACL data: handle 12 flags 0x02 dlen 14
L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 0
Success
> ACL data: handle 12 flags 0x02 dlen 36
L2CAP(d): cid 0x0040 len 32 [psm 0]
0000: 06 00 01 00 1b 35 11 1c 00 00 00 00 de ca fa de .....5......??·?
0010: de ca de af de ca ca fe 00 26 35 03 09 00 04 00 ???»????.&5.....
< ACL data: handle 12 flags 0x00 dlen 33
0000: 1d 00 40 00 07 00 01 00 18 00 15 35 13 35 11 09 ..#........5.5..
0010: 00 04 35 0c 35 03 19 01 00 35 05 19 00 03 08 12 ..5.5....5......
0020: 00 .
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0040 scid 0x0040
< ACL data: handle 12 flags 0x00 dlen 12
0000: 08 00 01 00 07 04 04 00 40 00 40 00 ........#.#.
> ACL data: handle 12 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 3 scid 0x0041
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 03 05 08 00 40 00 41 00 00 00 00 00 ........#.A.....
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 16
L2CAP(s): Config req: dcid 0x0040 flags 0x00 clen 4
MTU 895
< ACL data: handle 12 flags 0x00 dlen 18
0000: 0e 00 01 00 05 06 0a 00 41 00 00 00 00 00 01 02 ........A.......
0010: 7f 03 ..
< ACL data: handle 12 flags 0x00 dlen 16
0000: 0c 00 01 00 04 03 08 00 41 00 00 00 01 02 f5 03 ........A.....?.
> HCI Event: Number of Completed Packets (0x13) plen 5
0000: 01 0c 00 02 00 .....
> ACL data: handle 12 flags 0x02 dlen 18
L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 4
MTU 1013
At this point, the payloads delivered by the device vary drastically between runs, much less within a single run. I've placed the remainder of the log in a pastebin for brevity: Link
Yes, bluetooth encrypts data over the air. And yes, this applies to ACL data. But the data you are seeing over the HCI interface is already decrypted. Your problem is that you don't know how to interpret the ACL data stream. There are a couple levels of protocol on top of ACL data. Unless your device documents their protocol, you may be out of luck. It's most likely that they are running SPP (serial port profile) or RFCOMM to talk to the android app. So you have the following nested protocol layers to decode SPP -> RFCOMM -> L2CAP -> ACL data.
It is also possible that your device/app do additional application level encryption on top of SPP. In that case, you're out of luck.