This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot capture on Bluetooth LE USB dongle

0

I am using Wireshark 1.10.8 with WinPCap 4.1.3 I have a Bluetooth LE USB dongle, which is working without any problem, but I can't capture it with wireshark : it is not listed in the list of interfaces. Note that I am able to see another bluetooth dongle I have.

Same on Linux. I am using 1.10.8, with libpcap 1.5.3. I am able to capture that other bluetooth dongle I have, but I cannot see that Bluetooth LE USB dongle.

Can you please assist on either OS?

Regards.

asked 20 Jun '14, 04:38

aaf's gravatar image

aaf
1113
accept rate: 0%

In windows you can use netmon for USB Dongle capture and then u can open it in wireshark even i searched a lot but finally settled with netmon for USB Dongle capturing.For linux i have no idea.

(20 Jun '14, 06:49) kishan pandey

yes, I know - but USB packets are "raw", more difficult to understand to me than Bluetooth packets.

NB. On Windows, USB capturing can be done with USBPcap. On Linux too, with usbmon (kernel module to load).

(20 Jun '14, 07:28) aaf

One Answer:

0

it is not listed in the list of interfaces.

WinPcap will only be able to capture on supported devices (obviously). As there is no native Bluetooth support in WinPcap, it will only work, if the Bluetooth device driver makes the device look like a network interface to the OS and WinPcap. So, if the dongle does not appear on the list of devices, there are two possible reasons:

  • It is not detected and thus not support by WinPcap. Not much you can do about that, except adding Bluetooth support to WinPcap yourself.
  • You started the WinPcap NPF driver before you inserted the USB dongle. In that case WinPcap won't see it either. Please run the following commands

sc stop npf
remove and then insert the USB dongle
sc start npf
dumpcap -D -M

If you don't see the device in the output of dumpcap, it's not supported by WinPcap.

Same on Linux. I am able to capture that other bluetooth dongle I have, but I cannot see that Bluetooth LE USB dongle.

Similar problem as on Windows. How does your kernel detected that dongle? Is it a network device?

What is the output of the following commands, after you have inserted the dongle.

ifconfig -a
dumpcap -D -M
lsusb dmesg | egrep -i '(usb|bluetooth)'

Regards
Kurt

answered 22 Jun '14, 07:20

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

My device is seen in dmesg, lsusb, but not by tcpdump, dumpcap, ifconfig or hcitool.

lsusb:

Bus 001 Device 003: ID 2687:fb01

dmesg:

[503386.469496] usb 1-1.3: new full-speed USB device number 3 using ehci-pci
[503386.568329] usb 1-1.3: New USB device found, idVendor=2687, idProduct=fb01

but nothing elsewhere:

ifconfig -a only lists eth0 and lo in my case.

dumpcap:

$ dumpcap -D -M
1. eth0                 0       my IP       network
2. nflog                        0               network
3. nfqueue                      0               network
4. any                  0               network
5. lo           Loopback        0       127.0.0.1,::1   loopback

tcpdump:

$ sudo tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo

hcitool:

$ sudo hcitool dev
Devices:

Do you know how I can have it recognized by the system? (Linux Mint)

(23 Jun '14, 02:50) aaf

Do you know how I can have it recognized by the system? (Linux Mint)

that's a linux kernel/driver question and you will (most certainly) get a better answer in a Linux/Bluetooth forum. Furthermore you did not mention the brand of the Bluetooth dongle. I could search for the vendor ID, but as I said: A linux forum might be the better place for you to get the dongle recognized by the kernel. As soon as that works, tcpdump/wireshark should be able to detect it as well.

(23 Jun '14, 04:12) Kurt Knochner ♦