How to use a Bluetooth Low Energy sniffer without pulling your hair out!

While working on a client’s project it became necessary to use a Bluetooth Low Energy sniffer to debug some weird behavior happening with the data transfers between the master and slave device. I had read quite a bit about BLE sniffing before and talked to a few people in the industry to get their feedback on the different options out there, but I hadn’t actually done much with one until recently.

The purpose of this blog post to be the first of a series covering the topic of Bluetooth Low Energy sniffers. In this first one, I’ll go over the different commercial options out there and compare them. The following posts will go into more technical detail and cover topics such as understanding how to use one of the BLE sniffers (TI CC2540 SmartRF Sniffer USB dongle) for listening to advertisements and following connections.

I have to say, my recent journey in learning about BLE sniffing has been a bit of a struggle and I couldn’t find any good resources online with how to use them and make sense of the data. So I wanted to take this opportunity and document my learning as well as put it out there to benefit anyone else looking to learn more about BLE sniffers.

A comparison of Bluetooth Low Energy Sniffer options

Here’s a list of the different Bluetooth Low Energy sniffers that I have come across and learned about online (some of which I’ve been using recently).

(Listed info is accurate as of  November 2018)

  • Ellisys Bluetooth Tracker
    • Price: starts at $10,000 (on the low-end, and goes up depending on which features are enabled).
    • Pros: Very compact and portable, supports Bluetooth 5 (low energy) & Wi-Fi, lower cost than other commercial sniffers, supports HCI debugging and includes a logic analyzer.
    • Cons: may not be affordable for many.
  • TI BLE Sniffer (CC2540EMK-USB dongle)
    • Price: around $50.
    • Pros: Relatively easy-to-use, reasonable cost, minimal setup required.
    • Cons: can listen on only one advertising channel at a time (hardware limitation), uses proprietary analysis application, difficult to export captured data (need to develop/ or use a tool that parses the exported data), drops packets occasionally, crashes occasionally.
  • Nordic nRF Sniffer (nRF51 PCA10031 USB dongle)
    • Price: around $50.
    • Pros: reasonable cost, integrates with Wireshark (Windows only) through the use of Nordic nRFSniffer software (command line utility).
    • Cons: can listen on only one advertising channel at a time (hardware limitation), a bit of setup required, drops packets occasionally.
  • Nordic nRF Sniffer (nRF52 PCA10059 USB dongle) – NEW
    • Price: around $10.
    • Pros: very low cost, fully supports Bluetooth 5 as a development kit, integrates with a full suite of applications from Nordic, the nRF Connect for desktop.
    • Cons: can listen on only one advertising channel at a time (hardware limitation), no support for sniffing Bluetooth 5 packets yet (coded PHY, 2M PHY, or advertising extensions). Though, this is inevitably coming.

UPDATE: The nRF52 USB Dongle is not yet supported by the nRF Sniffer application, but this will inevitably be possible soon.
Here’s a Getting Started tutorial for this USB dongle:   The nRF52840 USB Dongle Tutorial (Part 1)

  • Adafruit Bluefruit LE Sniffer (pretty much the same as the nRF sniffer since it’s based on the same module)
    • Price: around $30.
    • Pros: low cost, integrates with a full suite of applications from Nordic, the nRF Connect for Desktop.
    • Cons: does not support Bluetooth 5, can listen on only one advertising channel at a time (hardware limitation), a bit of setup required, drops packets occasionally.
  • Ubertooth One
    • Price: $120.
    • Pros: open-source software and hardware.
    • Cons: can listen on only one advertising channel at a time (hardware limitation), difficult to get set up on Mac OS X or Windows (much simpler on Linux).
  • Teledyne LeCroy (formerly Frontline) ComProbe BPA low energy
    • Price: $3,500-$4,500.
    • Pros: can listen to all 3 advertising channels simultaneously, compact design, powerful PC software (almost overwhelmingly powerful).
    • Cons: relatively pricey, Windows only, cumbersome UI (too many bells and whistles), minimal tutorials available.
  • Ellisys Bluetooth Explorer 400-STD-LE
    • Price: around $30,000.
    • Pros: employs Software Defined Radio (SDR), meaning the device’s firmware can be updated to support any future version of BLE.
    • Cons: very expensive.

Summary

As you can see there are many options out there for BLE sniffers and they vary widely in features and pricing. There is no perfect sniffer and your budget will probably determine which one you choose. In the upcoming posts, I will go over how to use the TI BLE sniffer to determine the devices that are advertising in the area, make sense of that data, how to follow connections and analyze the data transfers happening between the master and slave.

Next in the series:

Part 2: How to use a BLE sniffer to capture and debug Advertisement data (Video)

Part 3: How to use a BLE sniffer to reverse engineer a Bluetooth Lightbulb and capture Connection data (Video)