I'm playing around with my Philips Hue and an AVR Raven but the packets displayed by Wireshark are not matching with the specification of Light Link v1.
For example on scanning for lights, the device should send scan requests (I think 60-65 are scan requests) with a payload length of 6 (4 byte of transaction ID + ZigBee info + ZLL info). The Transaction ID is needed for the bulb to compute the transport key.
In my pcap the packets 60-65 have a payload between 10-14 bytes and are encrypted with a networking key (which at this point should not exist because no bulb is paired).
After pairing, packet 75 is already encrypted with the transport key: Where did the bulb got the Transaction ID neccessary for computing that key? Also no Scan Response was ever sent, so the bulb also does not know the Response ID.
What am I missing here?