How to capture Bluetooth on Debian Wheezy?

Question

Hi everyone.

I'm trying to capture Bluetooth as per a college assignment. I started following the instructions here:

http://wiki.wireshark.org/CaptureSetup/Bluetooth

The highest libpcap version in the Debian repos is 0.8, which doesn't support Bluetooth, so I downloaded the latest 1.6.2 version. During the configure step, I installed libbluetooth-dev, libusb-dev, and libusb-1.0-0-dev. After that, I based myself on the instructions here:

https://www.myricom.com/software/sniffer10g/487-how-do-i-set-up-a-linux-libpcap-application-to-use-sniffer10g-receive-bypass.html

to get Wireshark to use the newest libpcap (by linking from the old libpcap). It worked, in the sense that bluetooth0 was added to the interfaces list. But, when I tried to capture from it, I got an error message:

The specified data link type "BLUETOOTH_HCI_H4_WITH_P" isn't valid

Since I couldn't find a thing on Google, I looked around the repos and installed bluez-hcidump, which changed nothing.

I have Linux 3.2.0-4-686-pae and Debian Wheezy 7.6 in an HP Mini 110-3100. I think that the adapter responsible for Bluetooth is Broadcom Corporation BCM4313 802.11b/g/n Wireless LAN Controller. It was the closest in lspci, and HP no longer supports it, so I can't get the info from them.

Is it possible to capture Bluetooth in Debian Wheezy? What do I need to do to do that?

Thanks in advance.

Answer 1

The highest libpcap version in the Debian repos is 0.8

The version number in the Debian libpcap package name is a bit mysterious. There was an "0.7" before the "0.8", so maybe there was a time when the version number in the package tracked the actual libpcap version number; however, perhaps they realized, when libpcap 0.9 came out, that I was ensuring binary compatibility between libpcap releases and that they didn't need to come out with a new "libpcap-x.y" package for every new version.

So they stopped updating the version number in the package name to match the libpcap version number. In Wheezy, the libpcap-0.8 package is based on libpcap 1.3.0.

libpcap 1.3.0 does include Bluetooth capture support for Linux; however, it's only built if the system on which libpcap is compiled has the bluetooth/bluetooth.h header file, so, if Bluetooth capture doesn't work on Wheezy with the standard libpcap package, perhaps it wasn't, for whatever reason, built with Bluetooth capture included (either they explicitly turned it off or the build wasn't done on a system with the bluez developer package installed.

I.e., do not assume, just because Debian chooses to call their libpcap package "libpcap-0.8", that the libpcap on Wheezy doesn't support Bluetooth. Try using the standard libpcap first (uninstall the libpcap you built, and, if you built Wireshark from source with that library, do a make distclean on your Wireshark source tree, make sure "libpcap-dev" is installed, and reconfigure and rebuild Wireshark) .

If that still doesn't work, what version of Wireshark are you using? The data link type "BLUETOOTH_HCI_H4_WITH_P" isn't, in fact, valid, because the correct type is "BLUETOOTH_HCI_H4_WITH_PHDR", so that seems to be a problem between Wireshark and dumpcap.