This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi everyone.

I'm trying to capture Bluetooth as per a college assignment. I started following the instructions here:

http://wiki.wireshark.org/CaptureSetup/Bluetooth

The highest libpcap version in the Debian repos is 0.8, which doesn't support Bluetooth, so I downloaded the latest 1.6.2 version. During the configure step, I installed libbluetooth-dev, libusb-dev, and libusb-1.0-0-dev. After that, I based myself on the instructions here:

https://www.myricom.com/software/sniffer10g/487-how-do-i-set-up-a-linux-libpcap-application-to-use-sniffer10g-receive-bypass.html

to get Wireshark to use the newest libpcap (by linking from the old libpcap). It worked, in the sense that bluetooth0 was added to the interfaces list. But, when I tried to capture from it, I got an error message:

The specified data link type "BLUETOOTH_HCI_H4_WITH_P" isn't valid

Since I couldn't find a thing on Google, I looked around the repos and installed bluez-hcidump, which changed nothing.

I have Linux 3.2.0-4-686-pae and Debian Wheezy 7.6 in an HP Mini 110-3100. I think that the adapter responsible for Bluetooth is Broadcom Corporation BCM4313 802.11b/g/n Wireless LAN Controller. It was the closest in lspci, and HP no longer supports it, so I can't get the info from them.

Is it possible to capture Bluetooth in Debian Wheezy? What do I need to do to do that?

Thanks in advance.

This question is marked "community wiki".

asked 27 Oct '14, 05:00

GuiRitter's gravatar image

GuiRitter
11113
accept rate: 0%

edited 27 Oct '14, 06:20


The highest libpcap version in the Debian repos is 0.8

The version number in the Debian libpcap package name is a bit mysterious. There was an "0.7" before the "0.8", so maybe there was a time when the version number in the package tracked the actual libpcap version number; however, perhaps they realized, when libpcap 0.9 came out, that I was ensuring binary compatibility between libpcap releases and that they didn't need to come out with a new "libpcap-x.y" package for every new version.

So they stopped updating the version number in the package name to match the libpcap version number. In Wheezy, the libpcap-0.8 package is based on libpcap 1.3.0.

libpcap 1.3.0 does include Bluetooth capture support for Linux; however, it's only built if the system on which libpcap is compiled has the bluetooth/bluetooth.h header file, so, if Bluetooth capture doesn't work on Wheezy with the standard libpcap package, perhaps it wasn't, for whatever reason, built with Bluetooth capture included (either they explicitly turned it off or the build wasn't done on a system with the bluez developer package installed.

I.e., do not assume, just because Debian chooses to call their libpcap package "libpcap-0.8", that the libpcap on Wheezy doesn't support Bluetooth. Try using the standard libpcap first (uninstall the libpcap you built, and, if you built Wireshark from source with that library, do a make distclean on your Wireshark source tree, make sure "libpcap-dev" is installed, and reconfigure and rebuild Wireshark) .

If that still doesn't work, what version of Wireshark are you using? The data link type "BLUETOOTH_HCI_H4_WITH_P" isn't, in fact, valid, because the correct type is "BLUETOOTH_HCI_H4_WITH_PHDR", so that seems to be a problem between Wireshark and dumpcap.

permanent link

answered 27 Oct '14, 14:46

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks for your answer and sorry for my late answer, I've been busy. Too bad the name is misleading and I did't paid attention to that. I didn't built Wireshark manually, I just installed it from the repo. It's expected it would not work then, because the Debian repo programs are always outdated. I'll try to build Wireshark manually following your instructions soon and post the results here.

As I said, I'm using the latest stable version from the Wheezy repo (1.8.2-5wheezy12): https://packages.debian.org/wheezy/wireshark

(28 Oct '14, 18:21) GuiRitter

The changelog of the Debian package says:

libpcap (1.5.3-2) unstable; urgency=low
  * Enable Bluetooth capture on Linux (closes: #737357).
 -- Romain Francoise [email protected]  Mon, 03 Feb 2014 22:03:51 +0100

(31 Oct '14, 05:16) Jaap ♦

I uninstalled Wireshark from the repo and tried to install the latest Wireshark from the website. In the installation instructions, gtk-config --version failed. So I downloaded the latest GTK+ from it's website. To install it, I'll have to install the latest version of 4 more packages I already have. Is this the only way?

(31 Oct '14, 15:11) GuiRitter
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×33
×27
×23
×21
×1

question asked: 27 Oct '14, 05:00

question was seen: 2,114 times

last updated: 31 Oct '14, 15:11

p​o​w​e​r​e​d by O​S​Q​A