How to use a Bluetooth (BLE) sniffer without pulling your hair out!

How to use a Bluetooth Low Energy sniffer without pulling your hair out!

While working on a client’s project it became necessary to use a Bluetooth Low Energy sniffer to debug some weird behavior happening with the data transfers between the master and slave device. I had read quite a bit about BLE sniffing before and talked to a few people in the industry to get their feedback on the different options out there, but I hadn’t actually done much with one until recently.

The purpose of this blog post to be the first of a series covering the topic of Bluetooth Low Energy sniffers. In this first one, I’ll go over the different commercial options out there and compare them. The following posts will go into more technical detail and cover topics such as understanding how to use one of the BLE sniffers (TI CC2540 SmartRF Sniffer USB dongle) for listening to advertisements and following connections.

I have to say, my recent journey in learning about BLE sniffing has been a bit of a struggle and I couldn’t find any good resources online with how to use them and make sense of the data. So I wanted to take this opportunity and document my learning as well as put it out there to benefit anyone else looking to learn more about BLE sniffers.

A comparison of Bluetooth Low Energy Sniffer options

Here’s a list of the different Bluetooth Low Energy sniffers that I have come across and learned about online (some of which I’ve been using recently).

(Listed info is accurate as of  November 2018)

  • Ellisys Bluetooth Tracker
    • Price: starts at $10,000 (on the low-end, and goes up depending on which features are enabled).
    • Pros: Very compact and portable, supports Bluetooth 5 (low energy) & Wi-Fi, lower cost than other commercial sniffers, supports HCI debugging and includes a logic analyzer.
    • Cons: may not be affordable for many.
  • TI BLE Sniffer (CC2540EMK-USB dongle)
    • Price: around $50.
    • Pros: Relatively easy-to-use, reasonable cost, minimal setup required.
    • Cons: can listen on only one advertising channel at a time (hardware limitation), uses proprietary analysis application, difficult to export captured data (need to develop/ or use a tool that parses the exported data), drops packets occasionally, crashes occasionally.
  • Nordic nRF Sniffer (nRF51 PCA10031 USB dongle)
    • Price: around $50.
    • Pros: reasonable cost, integrates with Wireshark (Windows only) through the use of Nordic nRFSniffer software (command line utility).
    • Cons: can listen on only one advertising channel at a time (hardware limitation), a bit of setup required, drops packets occasionally.
  • Nordic nRF Sniffer (nRF52 PCA10059 USB dongle) – NEW
    • Price: around $10.
    • Pros: very low cost, fully supports Bluetooth 5 as a development kit, integrates with a full suite of applications from Nordic, the nRF Connect for desktop.
    • Cons: can listen on only one advertising channel at a time (hardware limitation), no support for sniffing Bluetooth 5 packets yet (coded PHY, 2M PHY, or advertising extensions). Though, this is inevitably coming.

UPDATE: The nRF52 USB Dongle is not yet supported by the nRF Sniffer application, but this will inevitably be possible soon.
Here’s a Getting Started tutorial for this USB dongle:   The nRF52840 USB Dongle Tutorial (Part 1)

  • Adafruit Bluefruit LE Sniffer (pretty much the same as the nRF sniffer since it’s based on the same module)
    • Price: around $30.
    • Pros: low cost, integrates with a full suite of applications from Nordic, the nRF Connect for Desktop.
    • Cons: does not support Bluetooth 5, can listen on only one advertising channel at a time (hardware limitation), a bit of setup required, drops packets occasionally.
  • Ubertooth One
    • Price: $120.
    • Pros: open-source software and hardware.
    • Cons: can listen on only one advertising channel at a time (hardware limitation), difficult to get set up on Mac OS X or Windows (much simpler on Linux).
  • Teledyne LeCroy (formerly Frontline) ComProbe BPA low energy
    • Price: $3,500-$4,500.
    • Pros: can listen to all 3 advertising channels simultaneously, compact design, powerful PC software (almost overwhelmingly powerful).
    • Cons: relatively pricey, Windows only, cumbersome UI (too many bells and whistles), minimal tutorials available.
  • Ellisys Bluetooth Explorer 400-STD-LE
    • Price: around $30,000.
    • Pros: employs Software Defined Radio (SDR), meaning the device’s firmware can be updated to support any future version of BLE.
    • Cons: very expensive.

Summary

As you can see there are many options out there for BLE sniffers and they vary widely in features and pricing. There is no perfect sniffer and your budget will probably determine which one you choose. In the upcoming posts, I will go over how to use the TI BLE sniffer to determine the devices that are advertising in the area, make sense of that data, how to follow connections and analyze the data transfers happening between the master and slave.

Next in the series:

Part 2: How to use a BLE sniffer to capture and debug Advertisement data (Video)

Part 3: How to use a BLE sniffer to reverse engineer a Bluetooth Lightbulb and capture Connection data (Video)

12 Comments

  1. Martin on August 17, 2016 at 2:15 pm

    I have used the Nordic nRF Sniffer with moderate success.

    One limitation I found is that it can’t appear to keep up to modest rate of data transfers.
    I had a Peripheral device that would send 4 notifications every 40 ms.
    Each notify from Peripheral was 20 bytes … so overall throughput was (20 x 4 packets x 1/40ms = 2000 bytes/sec)
    Connection interval = 12.5ms

    Using Nordic nRF Sniffer and Wireshark, it would only capture about 20% of the notify messages.

    Have others seen the same with Nordic nRF Sniffer or TI’s BLE sniffer ?

    Regards, Martin

  2. Martin on August 17, 2016 at 2:24 pm

    One note, I use nRF51822 Development Kit dongle (PCA10000) USB Dongle, not the PCA10031 USB dongle you mention.

    Also, using latest nRF Sniffer software (1.0.1)

    Thanks.

    • Mohammad Afaneh Mohammad Afaneh on August 18, 2016 at 9:09 am

      Martin, do you know if the peripheral device is set up to advertise on all 3 advertising channels or just one?
      If it’s not restricted to one channel then the sniffer will only detect some of the connections (notifications in this case) since it can only scan one channel at a time.

      • Mohammad Afaneh Mohammad Afaneh on September 27, 2016 at 8:56 am

        Martin, sorry I just realized I don’t think my previous comment is valid in all cases. Do these notifications happen while the connection is alive between the master and slave? or are the two disconnected when you’re sniffing the data? If the notifications occur from a disconnected state then it may be related to the 3 advertising channels not being scanned (HW limitation with the sniffer), otherwise it’s probably related to some throughput limitation as you mention.

  3. Martin on November 3, 2016 at 7:16 pm

    Hi Mohammad. Very useful article, thanks. I noticed that you don’t mention “drops packets occasionally” under Ubertooth One. Does it really perform better than the Nordic and TI sniffers in this regard? I’ve tried both, Nordic’s and TI’s sniffers, and I also noticed how they drop packets every now and then. This is one of the reasons why I’m looking for a new alternative. I also noticed that the TI sniffer does not support LE Data Length Extension (PDUs that exceed 27 bytes), which is something that my application makes use of. Do you know if the Ubertooth One does support this feature? Which of these three sniffers do you prefer to work with?

    • Mohammad Afaneh Mohammad Afaneh on November 4, 2016 at 12:30 pm

      Martin, thanks. I’m glad you found the article useful.

      Unfortunately, I do not have much experience with the Ubertooth One. At one point, I tried going through the setup to get it working on my Macbook, but it was a bit more involved and gave up too soon.

      Because of this, I don’t really know if it supports the LE Data Packet Length Extension feature. I think your best bet is to sign up to their mailing list at https://sourceforge.net/p/ubertooth/mailman/ and send an email to the group. They’re usually very responsive and you’ll get an answer within a day or two. (I searched the archived messages and couldn’t find that anyone had asked this question previously)

      Sorry that I couldn’t be of much help.

  4. Ravi Teja on April 6, 2018 at 5:41 am

    Hi
    I am somewhat new to this. My company is developing an app that enables BLE on devices for lamps and switches. Is there a way to sniff the traffic being sent without using any hardware at all ? Or is it mandatory to have one of the hardware devices mentioned in your previous article?

    • Mohammad Afaneh Mohammad Afaneh on April 6, 2018 at 10:00 am

      Hi Ravi,

      Unfortunately, yes you will need sniffer hardware in order to capture BLE traffic. The nRF sniffer (https://www.nordicsemi.com/eng/Products/Bluetooth-low-energy/nRF-Sniffer) is probably the most reliable solution out of the low cost options. It is based on the nRF development kits (nRF52832, nRF51822, etc.) and utilizes a desktop application that interfaces with the development kit to run the sniffer software.

  5. Lacy Morrow on August 6, 2018 at 9:31 pm

    Just want to say thank you for putting together this list.

    I’m attempting to get basic BLE presence detection working and you saved me quite a bit of time with this write up.

    • Mohammad Afaneh Mohammad Afaneh on August 6, 2018 at 11:36 pm

      Thanks, Lacy! Glad I could help.

  6. Prasad on November 21, 2018 at 5:19 am

    Hi, can nRF52840 Dongle be used to sniff BLE 5 – Extended Advertisement packets?

    • Mohammad Afaneh Mohammad Afaneh on November 21, 2018 at 9:45 am

      Hi Prasad,

      I’m looking into this, but I believe the nRF Sniffer software has not been updated to support this yet. I know that the dongle cannot be used with nRF Connect to discover extended advertisements (or at least not yet).

Leave a Comment