This is a static archive of our old Q&A Site. Please post any new questions and answers at

Bluetooth traffic analysis and extraction


Hi, I'm quite a beginner to Wireshark and got problem using it, I searched the wiki page but seems no promising results. Hopefully I can get some help here.

I am trying to analyze the network traffic between LG smart watch and Android phone, which all go through bluetooth channel. Now I have got the network traffic log file and I can view it by running

> wireshark "LogFileName"

Problem is how can I retrieve infomation by removing the bluetooth header and get the original network layer packet, because I can parse the IP layer packet but bluetooth packet is not what I want and what I understand.

asked 21 Sep '15, 13:02

xl45's gravatar image

accept rate: 0%

Can you share the Wireshark "log" file? Otherwise it's hard to tell what's wrong with that capture file.

(21 Sep '15, 13:18) Kurt Knochner ♦

Sure, the log file can be accessed here:

@Kurt Knochner

(21 Sep '15, 16:10) xl45

actually bluetooth just remove the ethernet header and add its own header with the remaining payload unchanged. but still i have no idea how to do the extraction.

(21 Sep '15, 16:18) xl45

no one knows?

(22 Sep '15, 09:32) xl45

I don't see any IP traffic "encapsulated in Bluetooth" in that capture file.

I am trying to analyze the network traffic between LG smart watch and Android phone

Why do you think this is an IP communication?

(22 Sep '15, 09:48) Kurt Knochner ♦

thanks for answering, well actually i may misunderstand this by thinking that bluetooth just remove ethernet header upon the regular TCP/IP packet and add its own header. but still i have no idea what to do if i want to retrieve data from the packet. @Kurt Knochner

(22 Sep '15, 10:14) xl45
showing 5 of 6 show 1 more comments

2 Answers:


but still i have no idea what to do if i want to retrieve data from the packet.

it depends on the content you are interested in. If I look at the payload of large RFCOMM frames, I can see payload that's seems to be related to smart watch communication.

So, first you probably need to develop a better understanding of what your are actually looking for, then you can either extract that information manually via the Wireshark GUI (RFCOMM frames), or by using tshark. If you are looking for TCP/IP commuincation between the devices, I don't think there is any in that capture file.


answered 22 Sep '15, 10:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 22 Sep '15, 11:00


The RFCOMM service has UUID128: 5e8945b0-9525-11e3-a5e2-0800200c9a66 and name: WearableBt, so I hope it is Android Wear (I hear you can use androiddump in latest Wireshark to live-capturing). As I remember Wear require closed-sources application from Google on Android to make it works (this one: ), so there is no any documentation about protocol used by Google to communicate with Wear (implies no easy support for that in Wireshark). If anyone found some documentation about it, please share with me.

For now... Only Google know how to read Wear payload (over RFCOMM). I think I can see some structures, but it is (not!) reverse engineering.

answered 24 Sep '15, 14:00

Micha%C5%82%20%C5%81ab%C4%99dzki's gravatar image

Michał Łabędzki
accept rate: 8%