You are currently browsing the tag archive for the ‘wireshark’ tag.

Although for deep security analysis and experiments I do all Bluetooth and BLE things using either an Ubertooth One or my USRP (either B210 or B205mini **) and gr-bluetooth, I always start any experimentation with a basic sniffer.

Until now, my sniffer of choice was the BLE sniffer by Nordic Semiconductor (you can get the dongle for $25 on Adafruit and install the software). Such a simple and small form factor sniffer that runs great on Windows and Linux. I don’t even need to fire up any Linux VM to start poking around.


It’s user interface is rather archaic, purely shell-based, but it works just great. And it has a nice added feature that, when listing the devices it detects advertising around you, it automatically adds the device name if it’s advertised in plaintext… which is usually the case.


I was going to set up the sniffer in my laptop today when I noticed that Nordic Semiconductor released a new version of their BLE sniffer. And it is a HUGE update and improvement. The new sniffer is actually integrated as a Wireshark plugin and works great. And allows doing all the work within Wireshark, which is great.

You can follow the instructions on how to install it and set it up here. In a nutshell, you’ll need Python 2.7, pyserial (version 3.4 or higher – to upgrade run pip install pyserial –upgrade), Wireshark 2.4.2 or higher (I like to keep my old installations of Wireshark that I have nicely configured to color-code certain things and have specific columns in specific orders for my work on LTE security, 802.11 security, etc, so I keep several installations of Wireshark on my machine and so did I this time), and Segger J-Link v6.16c (which comes in the sniffer’s compressed file).

By the way, in case you run into the same problem, the instructions are not super clear and it took me some time to realize that one has to copy the contents of “root of the uncompressed folder of the sniffer software\extcap\” to the Wireshark extcap folder (to find it run Wireshark, Help->About->Folders). I had initially copied everything into that folder, d’uh!

I did not manage to get this to work with the nRF51 USB dongle (the one I showed above), but it works great with both the nRF51 and nRF52 development kits.

I have one bit of feedback if anyone from Nordic Semiconductor is reading this. The current way to select the device I want to sniff from, by selecting it from the Device section of the Wireshark plugin, is not very useful. The text is tiny, the partial view of the list is to show and, more importantly, now you guys do not include the advertised device name if it’s in the clear! Hopefully this will be fixed in an upcoming release.


Anyhow, happy BLE sniffing folks!

(**) Looking for the USRP mini link I noticed they sell it now with the case and not board and case separately. Hooray! I wonder when they will do the same for the big brother B210.

About me:

Born in Barcelona, moved to Los Angeles at age 24, ended in NYC, where I enjoy life, tweet about music and work as a geek in security for wireless networks.
All the opinions expressed in this blog are my own and are not related to my employer.
About me:

Blog Stats

  • 145,776 hits

Twitter feed

Enter your email address to follow this blog and receive notifications of new posts by email.