发表新帖
发表新帖

Analyzing Bluetooth Low Energy Traffic

前端 未结
关注
4 1033
夕颜
夕颜 2020-12-28 10:56

While trying to study BLE I am wondering if it is possible to analyse it through tools like Wireshark and snort? I came across one by the name \"ubertooth\" but that\'s a US

4条回答
  • 旧时难觅i
    旧时难觅i (楼主)
    2020-12-28 11:37

    Yes it's possible to use wireshark to analyse BLE packets, but you will need additional hardware. Sniffing a connection requires support from the baseband layer which is implemented inside the Bluetooth chipset. The software of the chipset inside your computer doesn't support sniffing, so you'll need another chipset whose software you can control.

    I use the nRF51 Dongle, which is a dev kit for the nRF51, a BLE + Cortex M0 SoC from Nordic Semi. Nordic provides firmware for this board that turns it into a sniffer. They also provide an application for Windows that communicates with that firmware over USB to get back the sniffing data, and that formats it in a way understandable for Wireshark.

    If you're on Windows you can just use the tools provided by Nordic on this page, and follow the instructions in the User Guide.

    Edit 2018-10: Nordic have released a Mac and Linux app in beta to support their sniffer, so the rest of this post shouldn't be necessary any more. You can download the new tool here.

    Then once everything is working and you are piping packets to Wireshark you can use all the awesome Wireshark built-in filters for Bluetooth and BLE: btatt, btl2cap, btle,...

    Original post

    If, like me, you are on Mac, you'll need:

    • RKNRFGO to program the custom firmware
    • nrf-ble-sniffer-osx to communicate with it and pipe the packets to Wireshark.

    The nrf-ble-sniffer-osx Wiki explains how to set it up. Thanks to Roland King for making these tools.

    Two important caveats for the Mac setup:

    • Install Wireshark before nrf-ble-sniffer-osx. That's because nrf-ble-sniffer-osx needs to install some additional filters for Wireshark so that it can decode the headers that the Nordic firmware adds to packets, and it won't do it if Wireshark is installed afterwards.
    • Use Wireshark version 1.12. At the time of writing, no newer version worked with this setup. Yes that means you'll have to use XQuartz.

    If you're on Linux, it looks like it's also possible to use this dongle, but I haven't tried it.

    0 讨论(0)
 看不清?
提交回复
热议问题