Here's a snapshot of packet sniffer capture from TI's wiki:
http://processors.wiki.ti.com/index.php/File:Using_capt_adv.png
If you look at the "Adv PDU header" field of the first captured packet, you will notice that the PDU length is 17. In "Packet details" tag, it shows the raw "Adv PDU header" message is "0 0 1 1" hex. At first look, it seems correct because 0x11 is 17. However, if you take a look at the BT 4.0 spec Volume 6.B.2.3 (page 2202), you will notice the advertising channel PDU header has the following format:
LSB ............................................................ MSB
PDU Type | RFU | TxAdd | RxAdd | Length | RFU
4 bits | 2 bits | 1 bit | 1 bit | 6 bits | 2 bits
The 2 MSBs are reserved bits and shouldn't be used as part of the PDU length. To to have a PDU length as 17 bits, the correct advertising PDU header raw message should be (using the above example): 0x0044, instead of 0x0011.
Did I misinterpret the BT spec or TI?
I upgraded my sensortag firmware. My sniffer capture shows similar result as shown in the TI wiki.