Analyzing Bluetooth Low Energy Traffic

bluetooth-lowenergy wireshark packet-capture snort
user3563251 picture user3563251 · Sep 17, 2015 · Viewed 17.3k times · Source

While trying to study BLE I am wondering if it is possible to analyse it through tools like Wireshark and snort? I came across one by the name "ubertooth" but that's a USB device which needs to be purchased in order for us to do DPI on BLE frames, right? Is it possible to capture and analyse BLE frames on Wireshark?

Answer

Samuel Peter picture Samuel Peter · Mar 24, 2017

Yes it's possible to use wireshark to analyse BLE packets, but you will need additional hardware. Sniffing a connection requires support from the baseband layer which is implemented inside the Bluetooth chipset. The software of the chipset inside your computer doesn't support sniffing, so you'll need another chipset whose software you can control.

I use the nRF51 Dongle, which is a dev kit for the nRF51, a BLE + Cortex M0 SoC from Nordic Semi. Nordic provides firmware for this board that turns it into a sniffer. They also provide an application for Windows that communicates with that firmware over USB to get back the sniffing data, and that formats it in a way understandable for Wireshark.

If you're on Windows you can just use the tools provided by Nordic on this page, and follow the instructions in the User Guide.

Edit 2018-10: Nordic have released a Mac and Linux app in beta to support their sniffer, so the rest of this post shouldn't be necessary any more. You can download the new tool here.

Then once everything is working and you are piping packets to Wireshark you can use all the awesome Wireshark built-in filters for Bluetooth and BLE: btatt, btl2cap, btle,...

Original post

If, like me, you are on Mac, you'll need:

The nrf-ble-sniffer-osx Wiki explains how to set it up. Thanks to Roland King for making these tools.

Two important caveats for the Mac setup:

  • Install Wireshark before nrf-ble-sniffer-osx. That's because nrf-ble-sniffer-osx needs to install some additional filters for Wireshark so that it can decode the headers that the Nordic firmware adds to packets, and it won't do it if Wireshark is installed afterwards.
  • Use Wireshark version 1.12. At the time of writing, no newer version worked with this setup. Yes that means you'll have to use XQuartz.

If you're on Linux, it looks like it's also possible to use this dongle, but I haven't tried it.

Related questions

Understanding ibeacon distancing

Trying to grasp a basic concept of how distancing with ibeacon (beacon/ Bluetooth-lowenergy/BLE) can work. Is there any true documentation on how far exactly an ibeacon can measure. Lets say I am 300 feet away...is it possible for an …

Read More
What is the iBeacon Bluetooth Profile

I'd like to create my own iBeacon with some Bluetooth Low Energy dev kits. Apple has yet to release a specification for iBeacons, however, a few hardware developers have reverse Engineered the iBeacon from the AirLocate Sample code and started …

Read More
Android 4.3 Bluetooth Low Energy unstable

I am currently developing an application that will use Bluetooth Low Energy (testing on the Nexus 4). After getting started with the official BLE APIs in Android 4.3, I have noticed that after I connect a device for the first time I …

Read More