Bluetooth iBeacon dissector is missing the Beacon Subtype and length fields
Summary
The Apple iBeacon decoder is missing the 2-byte Beacon subtype fields and this throws off the decoding of the fields after it.
Sample capture file
Steps to reproduce
Load the attached capture file and "Decode As...". Field is "BT EIR/AD Manufacturer Company ID". Value is 0x004C. Current is "iBeacon".
What is the current bug behavior?
Here's an example decoded packet:
Frame 229: 62 bytes on wire (496 bits), 62 bytes captured (496 bits) on interface /dev/ttyUSB0-3.6, id 0
nRF Sniffer for Bluetooth LE
Bluetooth Low Energy Link Layer
Access Address: 0x8e89bed6
Packet Header: 0x2400 (PDU Type: ADV_IND, ChSel: #1, TxAdd: Public)
Advertising Address: e8:fb:1c:66:b9:40 (e8:fb:1c:66:b9:40)
Advertising Data
Flags
Length: 2
Type: Flags (0x01)
000. .... = Reserved: 0x0
...0 .... = Simultaneous LE and BR/EDR to Same Device Capable (Host): false (0x0)
.... 0... = Simultaneous LE and BR/EDR to Same Device Capable (Controller): false (0x0)
.... .1.. = BR/EDR Not Supported: true (0x1)
.... ..1. = LE General Discoverable Mode: true (0x1)
.... ...0 = LE Limited Discoverable Mode: false (0x0)
Manufacturer Specific
Length: 26
Type: Manufacturer Specific (0xff)
Company ID: Apple, Inc. (0x004c)
Apple iBeacon
UUID: 0215f5068913e783486191a4a3e37d67
Major: 12935
Minor: 55806
CRC: 0xc332f4If you look at the UUID field, the 0x02 should be the subtype and 0x15 should be the subtype length. Then the UUID starts with 0xf5.
What is the expected correct behavior?
The Apple iBeacon page has the specification via the "Download artwork and specifications) link. The iBeacon wikipedia page looks right as well.
Chuckc posted a lot of helpful info on the forum at https://ask.wireshark.org/question/36284/possible-ble-apple-ibeacon-dissector-issue/ too.
Build information
Wireshark 3.6.2 (Git v3.6.2 packaged as 3.6.2-2)
Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using GCC 11.2.0, with Qt 5.15.2, with libpcap, with POSIX
capabilities (Linux), with libnl 3, with GLib 2.71.2, with zlib 1.2.11, with Lua
5.2.4, with GnuTLS 3.7.3 and PKCS #11 support, with Gcrypt 1.9.4, with MIT
Kerberos, with MaxMind DB resolver, with nghttp2 1.43.0, with brotli, with LZ4,
with Zstandard, with Snappy, with libxml2 2.9.12, with libsmi 0.4.8, with
QtMultimedia, without automatic updates, with SpeexDSP (using system library),
with Minizip.
Running on Linux 6.8.0-50-generic, with AMD Ryzen Threadripper 2950X 16-Core
Processor (with SSE4.2), with 31932 MB of physical memory, with GLib 2.80.0,
with zlib 1.3, with Qt 5.15.13, with libpcap 1.10.1 (with TPACKET_V3), with
c-ares 1.18.1, with GnuTLS 3.8.3, with Gcrypt 1.10.3, with nghttp2 1.59.0, with
brotli 1.1.0, with LZ4 1.9.4, with Zstandard 1.5.5, with libsmi 0.4.8, with
LC_TYPE=en_US.UTF-8, binary plugins supported (0 loaded).```