Analyzing Bluetooth Low Energy Traffic

user3563251 picture user3563251 · Sep 17, 2015 · Viewed 17.3k times · Source

While trying to study BLE I am wondering if it is possible to analyse it through tools like Wireshark and snort? I came across one by the name "ubertooth" but that's a USB device which needs to be purchased in order for us to do DPI on BLE frames, right? Is it possible to capture and analyse BLE frames on Wireshark?

Answer

Samuel Peter picture Samuel Peter · Mar 24, 2017

Yes it's possible to use wireshark to analyse BLE packets, but you will need additional hardware. Sniffing a connection requires support from the baseband layer which is implemented inside the Bluetooth chipset. The software of the chipset inside your computer doesn't support sniffing, so you'll need another chipset whose software you can control.

I use the nRF51 Dongle, which is a dev kit for the nRF51, a BLE + Cortex M0 SoC from Nordic Semi. Nordic provides firmware for this board that turns it into a sniffer. They also provide an application for Windows that communicates with that firmware over USB to get back the sniffing data, and that formats it in a way understandable for Wireshark.

If you're on Windows you can just use the tools provided by Nordic on this page, and follow the instructions in the User Guide.

Edit 2018-10: Nordic have released a Mac and Linux app in beta to support their sniffer, so the rest of this post shouldn't be necessary any more. You can download the new tool here.

Then once everything is working and you are piping packets to Wireshark you can use all the awesome Wireshark built-in filters for Bluetooth and BLE: btatt, btl2cap, btle,...


Original post

If, like me, you are on Mac, you'll need:

The nrf-ble-sniffer-osx Wiki explains how to set it up. Thanks to Roland King for making these tools.

Two important caveats for the Mac setup:

  • Install Wireshark before nrf-ble-sniffer-osx. That's because nrf-ble-sniffer-osx needs to install some additional filters for Wireshark so that it can decode the headers that the Nordic firmware adds to packets, and it won't do it if Wireshark is installed afterwards.
  • Use Wireshark version 1.12. At the time of writing, no newer version worked with this setup. Yes that means you'll have to use XQuartz.

If you're on Linux, it looks like it's also possible to use this dongle, but I haven't tried it.