This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I'm interested in using Wireshark for sniffing Bluetooth profiles (Bluetooth application data).

This data is almost always transferred on an encrypted link setup by default, between two end devices. When the two devices know the BT channel is for a particular profile, they want it encrypted. E.g. setting up an AVDTP channel for A2DP. I was wandering if this would be an issue for Wireshark? I know that it has support for a ton of Bluetooth profiles now, but what if the BT link is encrypted? If one is developing on a Bluetooth stack, they can pull the link key information, or even set the device in SSP debug mode prior to pairing/connecting? Does this help?

Many thanks, Dan

asked 02 Mar '16, 01:08

DanRalley's gravatar image

DanRalley
6112
accept rate: 0%


Hello,

Wireshark use libpcap or androiddump to capturing from Bluetooth interfaces what are in real implemented on host side (after processing by controller [Bluetooth chip]), so payload is decrypted in all cases (and often saved in BTSNOOP format).

But if you have logs from Bluetooth sniffer (from the air), then answer is: there is no decrypting on Wireshark side (but if you need that feature you can fill the bug/enhancement on Wireshark Bugzilla, upload two or more capture files and information needed to decryption [keys, etc.], then it will be implemented). However, in most cases Bluetooth sniffer also decrypting payload so maybe there is nothing to do. As I remember Ubertooth do not decrypt payload right now.

Summary: If you have Bluetooth USB dongle and capturing from local host interfaces (or USB), then encryption is not a problem (decrypted by controller or host)

If you have a logs from air sniffer - if sniffer does not decrypt it, then Wireshark does not help you (right now) and you will see "some bytes".

permanent link

answered 02 Mar '16, 10:58

Micha%C5%82%20%C5%81ab%C4%99dzki's gravatar image

Michał Łabędzki
411
accept rate: 8%

Hi Michal,

Thanks for your reply, this has clarified things greatly. If you have dump files from a host stack (libpcap, hcidump etc), as that is already decrypted, Wireshark can abstract the relevant protocol data.

For me, the greatest use of sniffer traces are from over the air or promiscuous sniffing.

Out of interest, do you know of any sniffers/plug-ins that have decrypting capabilities? One's that are affordable and not from Frontline/Ellysis?

This would be a really powerful enhancement, if wireshark could decrypt pcap files generated from open source sniffers like ubertooth. Like I said, giving wireshark the link key or have one device in SSP debug mode, enabling wireshark to decrypt all of the useful profile data.

At the present time, I want an ubertooth but don't have one. For the Wireshark enhancement to be considered, do you have to have sniffer traces from me, or is there another option for this enhancement to be considered? It will take a while for me to get a working setup and perform some encrypted OTA sniffs.

Best, Dan

(02 Mar '16, 11:24) DanRalley

Apologies Michal, should have replied here.

(02 Mar '16, 11:24) DanRalley

The problem with Ubertooth is that cannot capture EDR packets, so in most cases there is nothing interesting to decrypt... (for example A2DP). However capture encrypted LE payload is quite easy.

It is not trivial enhancement so please fill the bug/enhancement on Bugzilla: https://bugs.wireshark.org/bugzilla/buglist.cgi?limit=0&list_id=23965&order=bug_id%20DESC&query_format=advanced&resolution=--- And upload capture file, so I can start working on it, because currently I do not have capture files to test, so this enhancement is on my TODO list with low prio. If someone else want to implement it - you are welcome too :)

Out of interest, do you know of any sniffers/plug-ins that have decrypting capabilities? One's that are affordable and not from Frontline/Ellysis?

Nop, as I remember there is no more sniffer then Frontline/Ellysis/Ubertooth/nRF sniffer (LE only). [However tools like HackRF/GNU Radio can be also use to sniffing Bluetooth, but decrypting must be done on userspace]

(02 Mar '16, 23:20) Michał Łabędzki

Thanks Michal,

Since any BLE connection that doesnt use LE Secure Connections can easily be broken anyway, i'll put this lower on the priority list for now. But i'll put some sniffs together for you to work with shortly.

I would be happy to provide some BR/EDR decrypted sniffs containing profile data (with link key information provided externally) and try to provide a sniff with one device in SSP debug mode so that you can implement two possible methods of link decryption. However, It sounds like Ubertooth isn't going to help us here so can you recommend some hardware that would allow you to create this enhancement? (unless wireshark can read Frontline CFA files...)

thanks, Dan

(14 Mar '16, 02:31) DanRalley

To clarify, some hardware that I can use to provide a decent sniff.

(14 Mar '16, 02:32) DanRalley

Hi Dan,

Even I would need Ubertooth + Wireshark to look into decrypted HSP profile packets (Rfcomm + SCO/eSCO). Was just curious if you by chance figured out a work around for this? In my case, I am trying to analyze packets between Android Smart phone and COTS headset.

Do you know if Android's btsnoop_hci.log captures Profile data decrypted?

Thanks, Manoj

(16 Apr '16, 18:42) Manoj Prasad
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×34
×27
×16
×14
×7

question asked: 02 Mar '16, 01:08

question was seen: 3,247 times

last updated: 16 Apr '16, 18:42

p​o​w​e​r​e​d by O​S​Q​A