LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR
Packet structure
+---------------------------+ | RF Channel | | (1 Octet) | +---------------------------+ | Signal Power | | (1 Octet) | +---------------------------+ | Noise Power | | (1 Octet) | +---------------------------+ | Access Address Offenses | | (1 Octet) | +---------------------------+ | Reference Access Address | | (4 Octets) | +---------------------------+ | Flags | | (2 Octets) | +---------------------------+ | LE Packet (no preamble) | . . . . . .
Description
All multi-octet fields are expressed in little-endian format. Fields with a corresponding Flags bit are only considered valid when the bit is set.
The RF Channel field ranges 0 to 39. It reflects the value described in the Bluetooth Core Specification v5.2, Volume 6, Part A, Section 2.
The Signal Power and Noise Power fields are signed integers expressing values in dBm.
The Access Address Offenses field is an unsigned integer indicating the number of deviations from the valid access address that led to the packet capture. Access addresses are interpreted as described in the Bluetooth Core Specification v5.2, Volume 6, Part B, Section 2.1.2.
The Reference Access Address field corresponds to the Access Address configured into the capture tool that led to the capture of this packet.
The Flags field represents packed bits defined as follows:
- 0x0001 indicates the LE Packet is de-whitened
- 0x0002 indicates the Signal Power field is valid
- 0x0004 indicates the Noise Power field is valid
- 0x0008 indicates the LE Packet is decrypted
- 0x0010 indicates the Reference Access Address is valid and led to this packet being captured
- 0x0020 indicates the Access Address Offenses field contains valid data
- 0x0040 indicates the RF Channel field is subject to aliasing
- 0x0380 is an integer bit field indicating the LE Packet PDU type
- 0x0400 indicates the CRC portion of the LE Packet was checked
- 0x0800 indicates the CRC portion of the LE Packet passed its check
- 0x3000 is a PDU type dependent field
- 0xC000 is an integer bit field indicating the LE PHY mode
The PDU types indicated by flag bit field 0x0380 are defined as follows:
- Advertising or Data (Unspecified Direction)
- Auxiliary Advertising
- Data, Master to Slave
- Data, Slave to Master
- Connected Isochronous, Master to Slave
- Connected Isochronous, Slave to Master
- Broadcast Isochronous
- Reserved for Future Use
For PDU types other than type 1 (auxiliary advertising), the PDU type dependent field (using flag bits 0x3000) indicates the checked status of the MIC portion of the decrypted packet:
- 0x1000 indicates the MIC portion of the decrypted LE Packet was checked
- 0x2000 indicates the MIC portion of the decrypted LE Packet passed its check
For PDU type 1 (auxiliary advertising), the PDU type dependent field (using flag bits 0x3000) is an integer bit field indicating the auxiliary advertisement type:
- AUX_ADV_IND
- AUX_CHAIN_IND
- AUX_SYNC_IND
- AUX_SCAN_RSP
The LE PHY modes indicated by flag bit field 0xC000 are defined as follows:
- LE 1M
- LE 2M
- LE Coded
- Reserved for Future Use
The LE Packet field follows the previous fields. All multi-octet values in the LE Packet are always expressed in little-endian format, as is the normal Bluetooth practice.
For packets using the LE Uncoded PHYs (LE 1M PHY and LE 2M PHY) as defined in the Bluetooth Core Specification v5.2, Volume 6, Part B, Section 2.1, the LE Packet is represented as the four-octet access address, immediately followed by the PDU and CRC; it does not include the preamble.
For packets using the LE Coded PHY as defined in the Bluetooth Core Specification v5.2, Volume 6, Part B, Section 2.2, the LE Packet is represented as the four-octet access address, followed by the Coding Indicator (CI), stored in a one-octet field with the lower 2 bits containing the CI value, immediately followed by the PDU and the CRC; it does not include the preamble. Packets using the LE Coded PHY are represented in an uncoded form, so the TERM1 and TERM2 coding terminators are not included in the LE packet field.