Bluetooth low energy Data Encryption/Master and Slave Assignment
A Bluetooth low energy data connection consists of connection events, which are a series of transmissions on the same channel. In each connection event the master transmits first, then the slave, and then the devices take turns until the connection event is finished.
When the data connection is encrypted and the packets are successfully decrypted, the sniffer can determine exactly who sent which packet (only non-empty, encrypted packets – empty packets are never encrypted). These packets are labeled either ‘M’ for master or ‘S’ for slave.
When the data connection is unencrypted or when encrypted packets are not successfully decrypted by the sniffer, the sniffer cannot distinguish the two devices’ (master and slave) packets by their content, just by the packet timing. In those cases we label each device as side ‘1’ or ‘2’, not as master or slave. In each connection event, packets sent by the device which transmitted first in the connection event are labeled ‘1’, and packets sent by the device which transmitted second are labeled ‘2’.
If no packets in the connection event are missed by the sniffer, the device labeled ‘1’ is the master and the device labeled ‘2’ is the slave. However, if we do not capture the very first packet in a connection event (i.e. the packet sent by the master) but do capture the packet sent by the slave, we label the slave as side ‘1’ since it is the first device we heard in the connection event. Because there is potential clock drift since the last connection event, we cannot use the absolute timing to correct this error; there would still be cases where we get it wrong. Therefore we always assign ‘1’ to the first packet in a connection event. So even though it is rare, there are connection events where packets sent by the slave device are labeled ‘1’ and packets sent by the master are labeled ‘2’.
Finally, in a noisy environment it is also possible that the sniffer does not capture packets in the middle of a connection event. If this occurs and the sniffer cannot determine the side for the remaining packets in that connection event, the side is labeled ‘U’ for “unknown”.