How to use a Bluetooth (BLE) sniffer without pulling your hair out!

How to use a Bluetooth Low Energy sniffer without pulling your hair out!

While working on a client project it became necessary to use a Bluetooth Low Energy sniffer to debug some weird behavior happening with the data transfers between the master and slave device. I had read quite a bit about BLE sniffing before and talked to a few people in the industry to get their feedback on the different options out there, but I hadn’t actually done much with one until recently.

The purpose of this blog post to be the first of a series covering the topic of Bluetooth Low Energy sniffers. In this first one I’ll go over the different commercial options out there and compare them. The following posts will go into more technical detail and cover topics such as understanding how to use one of the BLE sniffers (TI CC2540 SmartRF Sniffer USB dongle) for listening to advertisements and following connections.

I have to say, my recent journey in learning about BLE sniffing has been a bit of a struggle and I couldn’t find any good resources online with how to use them and make sense of the data. So I wanted to take this opportunity and document my learning as well as put it out there to benefit anyone else looking to learn more about BLE sniffers.

A comparison of Bluetooth Low Energy Sniffer options

Here’s a list of the different Bluetooth Low Energy sniffers that I have come across and learned about online (some of which I’ve been using recently).

(Listed info is accurate as of March, 2017)

  • Ellisys Bluetooth Tracker
    • Price: around $10,000 (on the low-end, and goes up depending on which features are enabled)
    • Pros: Very compact and portable, supports Bluetooth 5 (low energy) & Wi-Fi, lower cost than other commercial sniffers
    • Cons: may not be affordable for some
  • TI BLE Sniffer (CC2540EMK-USB dongle)
    • Price: around $50
    • Pros: Relatively easy-to-use, reasonable cost, minimal setup required
    • Cons: can listen on only one advertising channel at a time (hardware limitation), uses proprietary analysis application, difficult to export captured data (need to develop/ or use a tool that parses the exported data), drops packets occasionally, crashes occasionally
  • Nordic nRF Sniffer (nRF51 PCA10031 USB dongle)
    • Price: around $50
    • Pros: reasonable cost, integrates with Wireshark (Windows only) through use of Nordic nRFSniffer software (command line utility)
    • Cons: can listen on only one advertising channel at a time (hardware limitation), a bit of setup required, drops packets occasionally
  • Adafruit Bluefruit LE Sniffer (pretty much the same as the nRF sniffer since it’s based on the same module)
    • Price: around $30
    • Pros: low cost, integrates with Wireshark (Windows only) through use of Nordic nRFSniffer software (command line utility), Linux and Mac OS X support provided through python scripts
    • Cons: can listen on only one advertising channel at a time (hardware limitation), a bit of setup required, drops packets occasionally
  • Ubertooth One
    • Price: $120
    • Pros: open-source software and hardware
    • Cons: can listen on only one advertising channel at a time (hardware limitation), difficult to get set up on Mac OS X or Windows (much simpler on Linux)
  • Teledyne LeCroy (formerly Frontline) ComProbe BPA low energy
    • Price: $3,500-$4,500
    • Pros: can listen to all 3 advertising channels simultaneously, compact design, powerful PC software (almost overwhelmingly powerful)
    • Cons: relatively pricey, Windows only, cumbersome UI (too many bells and whistles), minimal tutorials available
  • Ellisys Bluetooth Explorer 400-STD-LE
    • Price: around $30,000
    • Pros: Uses software-defined radio (SDR) meaning the device’s firmware can be updated to support any future version of BLE (including upcoming Bluetooth 5 release)
    • Cons: very expensive

Summary

As you can see there are many options out there for BLE sniffers and they vary widely in features and pricing. There is no perfect sniffer and your budget will probably determine which one you choose. In the upcoming posts I will go over how to use the TI BLE sniffer to determine the devices advertising in the area, make sense of that data, how to follow connections and analyze the data transfers happening between the master and slave.

Next in the series:

Part 2: How to use a BLE sniffer to capture and debug Advertisement data (Video)

Part 3: How to use a BLE sniffer to reverse engineer a Bluetooth Lightbulb and capture Connection data (Video)

About the Author:

Mohammad Afaneh
Mohammad has a strong passion for developing Bluetooth Low Energy and IoT applications. He helps developers develop for BLE faster through detailed technical tutorials, articles, and videos. He enjoys playing sports, spending time with his wife and kids, and reading non-fiction books. Connect with him on LinkedIn at https://www.linkedin.com/in/mafaneh.

6 Comments

  1. Martin August 17, 2016 at 2:15 pm - Reply

    I have used the Nordic nRF Sniffer with moderate success.

    One limitation I found is that it can’t appear to keep up to modest rate of data transfers.
    I had a Peripheral device that would send 4 notifications every 40 ms.
    Each notify from Peripheral was 20 bytes … so overall throughput was (20 x 4 packets x 1/40ms = 2000 bytes/sec)
    Connection interval = 12.5ms

    Using Nordic nRF Sniffer and Wireshark, it would only capture about 20% of the notify messages.

    Have others seen the same with Nordic nRF Sniffer or TI’s BLE sniffer ?

    Regards, Martin

  2. Martin August 17, 2016 at 2:24 pm - Reply

    One note, I use nRF51822 Development Kit dongle (PCA10000) USB Dongle, not the PCA10031 USB dongle you mention.

    Also, using latest nRF Sniffer software (1.0.1)

    Thanks.

    • Mohammad Afaneh
      Mohammad Afaneh August 18, 2016 at 9:09 am - Reply

      Martin, do you know if the peripheral device is set up to advertise on all 3 advertising channels or just one?
      If it’s not restricted to one channel then the sniffer will only detect some of the connections (notifications in this case) since it can only scan one channel at a time.

      • Mohammad Afaneh
        Mohammad Afaneh September 27, 2016 at 8:56 am - Reply

        Martin, sorry I just realized I don’t think my previous comment is valid in all cases. Do these notifications happen while the connection is alive between the master and slave? or are the two disconnected when you’re sniffing the data? If the notifications occur from a disconnected state then it may be related to the 3 advertising channels not being scanned (HW limitation with the sniffer), otherwise it’s probably related to some throughput limitation as you mention.

  3. Martin November 3, 2016 at 7:16 pm - Reply

    Hi Mohammad. Very useful article, thanks. I noticed that you don’t mention “drops packets occasionally” under Ubertooth One. Does it really perform better than the Nordic and TI sniffers in this regard? I’ve tried both, Nordic’s and TI’s sniffers, and I also noticed how they drop packets every now and then. This is one of the reasons why I’m looking for a new alternative. I also noticed that the TI sniffer does not support LE Data Length Extension (PDUs that exceed 27 bytes), which is something that my application makes use of. Do you know if the Ubertooth One does support this feature? Which of these three sniffers do you prefer to work with?

    • Mohammad Afaneh
      Mohammad Afaneh November 4, 2016 at 12:30 pm - Reply

      Martin, thanks. I’m glad you found the article useful.

      Unfortunately, I do not have much experience with the Ubertooth One. At one point, I tried going through the setup to get it working on my Macbook, but it was a bit more involved and gave up too soon.

      Because of this, I don’t really know if it supports the LE Data Packet Length Extension feature. I think your best bet is to sign up to their mailing list at https://sourceforge.net/p/ubertooth/mailman/ and send an email to the group. They’re usually very responsive and you’ll get an answer within a day or two. (I searched the archived messages and couldn’t find that anyone had asked this question previously)

      Sorry that I couldn’t be of much help.

Leave A Comment