Sniffing BLE

Wireshark

There are a few options for sniffing BLE with Wireshark.

Nordic Sniffer

This is my favorite option. You can buy a supported device fairly inexpensively, and the package is easy to install. The nRF51 dongle is probably the least expensive option

The nRF52 dongle is a great little device, but is NOT supported by the Nordic Sniffer since it does not handle UART over the USB connection the same way. Make sure to get the nRF51 dongle or one of the full nRF52 development kit or one of the other boards.

Once you have the board or dongle, you can install the sniffer code simply. Copy the files from the extcap folder to your Wireshark extcap folder and launch Wireshark. Scroll down in the Capture list and you should see a new interface.

nRF Sniffer interface is now available in Wireshark

Select that interface to start sniffing and you'll see a new toolbar at the top of the packet list.

Don't see the interface? Check your PATH and/or try running wireshark from a terminal prompt.

Toolbar for nRF Sniffer

The packet list shows you all device advertisements and anything else on the advertising channels (37,38,39). You can configure the sniffer to stay on one channel if you want. Click the Device dropdown to follow a specific device. The sniffer takes care of learning that devices channel hop pattern for you and follows it to see all of its packets.

Selecting a device to follow

You can see two things happening in the above screenshot. First, we've selected the device, so all of the Broadcast packets have to do with that device's MAC. The Device selector tells us that it's a 'public' address, so we can expect that it's that device's MAC and won't change.

Second, packet 6811 is the first where we start seeing the MAC addresses replaced by "Master" and "Slave" - the names used to indicate the central and the peripheral BLE device. This switch happens right after a BLE connection request (CONNECT_REQ) and the packet at 6810 is the last time we see these MAC addresses used. The successful connection occurred when I used an app to connect to the device. The app then sets up some other things and reads some GATT information.

As of the 3.0 release, you can also use the python "SnifferAPI" used by the Nordic Sniffer to write your own applications.

See: https://www.nordicsemi.com/Software-and-tools/Development-Tools/nRF-Sniffer-for-Bluetooth-LE

Android Phone Bluetooth Debug

This method also uses Wireshark.

The benefit here is that we're seeing the packets as sent from the Android phone, prior to any encryption.

tcpdump

macos Bluetooth Debug

Ubertooth, etc.

idk :shrug:

PreviousFun with BLE - WebBluetoothNextBLE & Android

Last updated

Was this helpful?