BLE L2CAP layer conclusion - embeddedpathashala.com

L2CAP Practical Examples & Chapter 10 Summary

Chapter 10 Sections 10.10–10.11 — Real Sniffer Captures, Credit Exchange, Flow Control Chart & Summary

Fig 10.8
CID 0x0004 / 0x0006

Initial Credits
10 → source, 11 → dest

Flow Credit
+1 additional

No Setup PDUs
Data starts immediately

Keywords:

BLE L2CAP sniffer Figure 10.8 BLE CID 0x0004 ATT 0x0006 SMP BLE no CONNECT CONFIGURE sniffer BLE LE credit based connection 10 11 credits BLE LE flow control credit additional BLE Figure 10.12 flow control chart BLE L2CAP chapter 10 summary BlueZ btmon L2CAP capture

10.10 — Practical Examples

Theory makes more sense when you can see it working on real hardware. Section 10.10 provides annotated sniffer captures of actual BLE L2CAP traffic — first a basic connection showing ATT and SMP channels working without any setup PDUs, then a credit-based flow control session showing the full lifecycle of a credit channel. These captures come directly from the textbook and match what you would see using tools like Wireshark with a BLE sniffer or btmon on Linux.

Figure 10.8 — Basic L2CAP Exchange Between Two Devices

Two Observations from Real Captured Frames

The sniffer capture in Figure 10.8 shows L2CAP PDUs being exchanged between two connected BLE devices. Looking at the Channel ID column, two things stand out immediately:

Observation 1 — Fixed CIDs in Use

Every packet carrying ATT data shows CID = 0x0004 in the Channel ID field. Every packet carrying Security Manager data shows CID = 0x0006. This confirms exactly what the specification says about fixed channel identifiers — ATT always uses 0x0004, SMP always uses 0x0006, no matter which device or which connection.

Observation 2 — No CONNECT or CONFIGURE Frames

Scanning through all the captured frames, there are no L2CAP CONNECT requests and no CONFIGURE requests anywhere in the log. In a BR/EDR capture you would see these before any data flows. In BLE they do not exist. As soon as the link layer connection was established, data started flowing directly on CID 0x0004 and 0x0006 with zero L2CAP setup overhead.

Figure 10.8 — Annotated Sniffer Capture of L2CAP Exchanges

Frame
PDU Length
Channel ID
Summary


685
14
0x0004
ATT — first data PDU, no setup needed

686
7
0x0004
ATT — second frame, same channel

689
5
0x0004
ATT — third frame

690
7
0x0006
SMP — Security Manager frame appears mid-connection

693
7
0x0006
SMP — second Security Manager frame

694
17
0x0006
SMP — pairing data frame

697
17
0x0006
SMP — further pairing frame


● CID 0x0004 = Attribute Protocol (ATT)
● CID 0x0006 = Security Manager Protocol (SMP)
No CONNECT/CONFIGURE frames anywhere in the log

Frame	PDU Length	Channel ID	Summary
685	14	0x0004	ATT — first data PDU, no setup needed
686	7	0x0004	ATT — second frame, same channel
689	5	0x0004	ATT — third frame
690	7	0x0006	SMP — Security Manager frame appears mid-connection
693	7	0x0006	SMP — second Security Manager frame
694	17	0x0006	SMP — pairing data frame
697	17	0x0006	SMP — further pairing frame

/* Capturing L2CAP traffic with btmon on Linux               */
/* sudo btmon                                                 */

/* You will see output like:                                  */
/* @ device hci0 opened
/* > HCI Event: LE Meta Event — Connection Complete           */
/* < HCI Command: LE Set Event Mask                           */

/* ATT traffic (CID 0x0004):                                  */
/* > ACL Data RX: handle 64 flags 0x02 dlen 11               */
/*     ATT: Exchange MTU Request (0x02) len 3                */
/*       Client RX MTU: 512                                   */

/* SMP traffic (CID 0x0006):                                  */
/* > ACL Data RX: handle 64 flags 0x02 dlen 7                */
/*     SMP: Pairing Request (0x01) len 6                      */
/*       IO capability: NoInputNoOutput                       */

Figures 10.9 & 10.10 — Credit-Based Connection Setup

Figure 10.9 — The Connection Request with 10 Initial Credits

Figure 10.9 shows the LE Credit-Based Connection Request from the source device. The key fields visible in the capture:

Figure 10.9 — Annotated LE Credit-Based Connection Request

Channel = 0x0005 (LE L2CAP Signaling Channel)
PDU Length 14 bytes
Channel ID 0x0005 (Signaling)
Command Length 10 bytes
Protocol/Service MUX 0x003E (example PSM)
Source CID 0x0040 (dynamically allocated)
Value (MTU) 65535 bytes
Max PDU Size (MPS) 230 bytes
Initial Credits 10 ← Destination may send 10 LE-frames to Source

The Initial Credits = 10 in the request means the source device is granting the destination device permission to send up to 10 LE-frames once the channel is open. Until the source issues more credits, the destination cannot send more than 10 frames on this channel.

Figure 10.10 — The Connection Response with 11 Initial Credits

The destination device replies with an LE Credit-Based Connection Response. The response includes its own Initial Credits field — this grants the source device permission to send LE-frames to the destination.

Figure 10.10 — Annotated LE Credit-Based Connection Response

Channel = 0x0005 (LE L2CAP Signaling Channel) — same channel, response PDU
Destination CID 0x0040 (assigned by responder)
Value (MTU) 1280 bytes
Max PDU Size (MPS) 128 bytes
Initial Credits 11 ← Source may send 11 LE-frames to Destination
Result Code Connection Successful (0x0000)

After this two-PDU handshake the channel is fully established. The state is:

Source → Destination

Source has 11 credits — can send up to 11 LE-frames before needing more

Destination → Source

Destination has 10 credits — can send up to 10 LE-frames before needing more

Figure 10.11 — LE Flow Control Credit

Adding One More Credit to the Peer Device

Figure 10.11 shows an LE Flow Control Credit packet sent after the initial channel setup. The capture shows that one additional credit is being sent to the peer device. This is the mechanism by which a device says “I have finished processing one more LE-frame and have buffer space again — you may send one additional frame.”

Figure 10.11 — Annotated LE Flow Control Credit Packet

LE Flow Control Credit — Code 0x16 on CID 0x0005
PDU Length 8 bytes
Command Length 4 bytes
Channel ID (CID) 0x0040 (receiving credits endpoint)
Additional Credits 1 ← Peer can now send 1 more LE-frame

After the peer device receives this packet, it adds 1 to its current credit count for CID 0x0040. If it had 0 credits before and was blocked from sending, it can now send exactly 1 LE-frame. If it had 3 credits remaining, it now has 4.

Figure 10.12 — Flow Control Chart

Complete Credit Lifecycle — From Setup to Ongoing Transfer

Figure 10.12 from the textbook shows the complete credit-based flow control picture in one view. Combining what we saw in Figures 10.9, 10.10, and 10.11, here is the full credit lifecycle:

Figure 10.12 — Full Credit-Based Flow Control Chart

Source Device Destination Device
→
LE Credit-Based Connection Request (PSM, Source CID, MTU, MPS, Initial Credits = 10)
←
LE Credit-Based Connection Response (Dest CID, MTU, MPS, Initial Credits = 11, Result=0x0000)
Channel open: Source has 11 credits → Dest | Destination has 10 credits → Source
Send LE-frames (uses 11 credits)
→
Receives frames, buffers and processes them
Source credits reach 0 — must stop sending and wait
Receives credit +1
←
LE Flow Control Credit (CID = 0x0040, Credits = 1)
Source now has 1 credit — can send 1 more LE-frame — cycle continues

This pattern repeats for as long as data needs to be transferred. The destination device controls the pacing — it only issues credits when it has actually processed frames and freed buffer space. This prevents the source from ever overflowing the destination’s buffers regardless of how fast it can produce data.

10.11 — Chapter 10 Summary

What L2CAP Does in the BLE Stack

The L2CAP layer provides data delivery services to the two upper-layer protocols that sit above it: the Security Manager Protocol (SMP) and the Attribute Protocol (ATT). Both of these use L2CAP’s channels to send their PDUs to the corresponding protocol on the remote device.

Because there are only two protocols using L2CAP in BLE (compared to many in BR/EDR), the LE L2CAP is significantly simplified. The fixed CID approach means there is never a need to negotiate or allocate channel numbers dynamically. Both ATT (CID 0x0004) and SMP (CID 0x0006) are always available the moment a connection is established.

Even the signaling commands are minimal — just three for the basic LE case: Command Reject, Connection Parameter Update Request, and Connection Parameter Update Response. None of these need to be exchanged before data can start flowing. As soon as the Link Layer reports a connection established, the upper layers can hand data to L2CAP and it will be sent immediately.

What L2CAP Provides

Fixed CIDs — no dynamic allocation
Fragmentation / Defragmentation
Multiplexing by CID
B-Frame (Basic Mode) PDUs
Credit-based channels (4.1)

What LE Removes vs BR/EDR

No CONNECT / CONFIGURE needed
No retransmission modes (4 removed)
Only 3 core signaling commands
MTU = 23 bytes (not 48 or 672)
Only Best Effort QoS

What Comes Next

Security Manager (SMP) — Chapter 11
Attribute Protocol (ATT) — Chapter 12
Both use the L2CAP channels you just learned
IPSP (credit-based) — Chapter 15

The next two chapters focus on the Security Manager and the Attribute Protocol — the two protocols that sit directly above L2CAP and use its services. Everything covered in Chapter 10 provides the transport foundation that SMP and ATT rely on.

Chapter 10 L2CAP — Complete Series (All Five Files)

PDF 1618

Intro, PDU/SDU, Assumptions, MTU

PDF 1920

Fixed CIDs, Fragmentation, MUX

PDF 2123

B-Frame, Parameters, Signaling

PDF 2426

Param Update, Credit Channels, Flow Control

PDF 2729 ✅

Practical Examples & Summary

Chapter 10 Complete — On to Security Manager

L2CAP for BLE is fully covered. Chapter 11 covers the Security Manager Protocol which runs on CID 0x0006 — the channel you just saw in Figure 10.8.

← PDF 2426: Credit-Based Flow Control