Ultimate Guide to Bluetooth Packet Capture with Ubertooth One and Wireshark

Set up an environment that supports Bluetooth packet capture by ensuring you have the necessary hardware and software tools. Install a Bluetooth adapter compatible with your system and

Previously, we introduced data packets and protocol layers. Next, we will use Ubertooth One to capture Bluetooth packets during communication processes.

(1) Installing Libraries

Code language: JavaScriptCopy

(2) Installing libbtbb

Code language: JavaScriptCopy

(3) Installing Ubertooth

Code language: JavaScriptCopy

(4) Installing Wireshark

Code language: JavaScriptCopy

(5) Installing Kismet

Code language: JavaScriptCopy

(6) Installing BLE Decryption Tool Crackle

Crackle (open-source project address)

Code language: JavaScriptCopy

Find Kismet’s configuration file kismet.conf and add “pcapbtbb” to the logtypes= section inside kismet.conf

Sniffing and Scanning

(1) Spectool

spectool_curses

spectool_gtk scans nearby signals and displays them on the spectrum:

spectool_raw RAW is interpreted in Chinese as “raw materials” or “untreated things”. It presumably shows the raw signal data captured by the device:

spectool_net makes Ubertooth One act as a “hardware server” and listen on TCP: port 30569, allowing any PC within the local network to communicate with the host to share devices via the Ubertooth host IP + 30569. Connection method: On another host terminal, execute: spectool_gtk

—> Select Open Network Device —> Enter IP, port.

(2) hcitool

Code language: JavaScriptCopy

hcitool scan: Scans for nearby Bluetooth devices

hcitool lescan: Scans for nearby low-energy Bluetooth devices

(3) gatttool

Code language: JavaScriptCopy

Code language: JavaScriptCopy

(4) ubertooth-scan

Code language: JavaScriptCopy

ubertooth-scan -s

(5) ubertooth-btle

Code language: JavaScriptCopy

faux slave mode, using MAC addr (example: -s22:44:66:88:aa:cc) -t
set connection following target (example: -t22:44:66:88:aa:cc) Interference (use with -f or -p): -i interfere with one connection and return to idle -I interfere continuously Data source: -U<0-7> set ubertooth device to use Misc: -r capture packets to PCAPNG file -q capture packets to PCAP file (DLT_BLUETOOTH_LE_LL_WITH_PHDR) -c capture packets to PCAP file (DLT_PPI) -A advertising channel index (default 37) -v[01] verify CRC mode, get status or enable/disable -x allow n access address offenses (default 32)If an input file is not specified, an Ubertooth device is used for live capture.In get/set mode no capture occurs.

ubertooth-btle -f -c test.pcap Capture & save to local

Using this command, we can save captured packets on the device locally. Once done, they can be imported into Wireshark for packet and protocol analysis.

Importing Bluetooth packets sniffed by Wireshark needs to be processed for correct viewing, otherwise, analysis might not be possible:

Edit → Preferences → Protocols → DLT_USER → Edit → New

Enter btle in the payload protocol

Use rules to filter packets: Refer to Capturing BLE in Wireshark

Code language: JavaScriptCopy

btle.data_header.length > 0 || btle.advertising_header.pdu_type == 0x05

(6) Crackle

If you’ve captured enough packets, especially btsmp, you can proceed to use Crackle to crack tk and ltk:

Code language: JavaScriptCopy

crackle -i 

Decrypt packets and save the decrypted packets separately:

Code language: JavaScriptCopy

crackle -i  -o crackle -i  -o  -l