Using a special firmware image provided by Nordic Semiconductor and the open source network analysis tool Wireshark, an Adafruit nRF52840 board can be used as a low cost Bluetooth Low Energy sniffer.

NOTE: This can only be used to sniff Bluetooth Low Energy devices. It will not work with classic Bluetooth devices. Since nRF-Sniffer is a passive solution that is simply scanning packets over the air, there is the possibility of missing packets using this tool (or any other passive sniffing solution)
The bootloader version must be at least 0.6.0 . If your board has older version, please try to update it first https://learn.adafruit.com/introducing-the-adafruit-nrf52840-feather/update-bootloader

Once things are all setup, usage is fairly easy. However, there are numerous separate items that need to be installed and configured. So the initial setup can be a bit cumbersome.

This guide will go through each step, but it can also help to have a general understanding of the overall setup.

Here's a simplified diagram:

Here's a summary of all the parts needed:

  1. The actual BLE sniffing hardware, this guide use an Adafruit nRF52840 board running sniffer uf2 firmware.
  2. nRF52840 native USB shows up as virtual serial (cdc)
  3. The BLE sniffing plugin uses Python.
  4. To talk to the virtual com port from Python, the pyserial module needs to be installed.
  5. Wireshark is the main software front end used to facilitate BLE sniffing and decoding.
  6. To talk to the BLE sniffer from Wireshark, the Nordic Semiconductor nRF Sniffer for BLE plugin is used.

These parts come from different sources - at least 5 different vendors are shown in the diagram above. So this will be quite the journey. 

BLE Sniffer Hardware

You'll need one of Adafruit's nRF52840 boards, for example:

This USB dongle/key type thing is a little unusual - it isn't a BLE adapter that you plug into a computer to add wireless capability. (If you do want something like that,...
$15.95
In Stock
The Adafruit Feather nRF52840 Express is the new Feather family member with Bluetooth Low Energy and native USB support featuring the nRF52840!  It's...
$24.95
In Stock

In order to use your nRF52840 board as sniffer hardware, you need to flash the sniffer firmware on your board first. Click the link below to download the Sniffer UF2 firmware file.

Double-click the Reset button on your board, and you will see the NeoPixel RGB LED turn green (identified by the arrow in the image). If it turns red, check the USB cable, try another USB port, etc.

Note: on nRF52840 USB Key with TinyUF2 (PID 5199) you need to hold its button while plugging into your PC.

adafruit_products_circuitpython_Drag_nRF52840_UF2.png

You will see a new BOOT disk drive appear e.g FTHR840BOOT.

Drag the sniffer_nrf52840dongle_4.1.0.uf2 file to FTHR840BOOT.

The LED will flash. Then, the FTHR840BOOT drive will disappear and a new device with a virtual com port appear

Bus 001 Device 018: ID 1915:522a Nordic Semiconductor ASA

That's it, you have successfully converted your board into a BE sniffing device and it's ready to use.  

An LED can be wried to nRF52840 pin P1.09 as activity indicator. Unfortunately, the sniffer is provided as hex only from Nordic, therefore we couldn't re-compile it to match on-board LED for our boards.
Sniffer firmware will erase softdevice (BLE stack) on your board. If you want to switch your board back to normal developing flow with Arduino or CircuitPython, click on the link below to download Softdevice UF2 file then drag and drop into BOOT drive as above.

Next Steps

Once everything is working as shown above, you are ready to move on to installing Python3 and WireShark

Python 3

If Python 3 is not already installed on your system, go to the Python main page to learn how to download and install it for your specific system:

It should now be possible to launch Python and run some simple commands:

On Windows, try using py to launch Python.

Python Serial Support

To provide access to the COM port, install the pyserial package.

It should now be possible to launch Python and import the pyserial package:

NOTE: the import is actually serial, not pyserial.

Install Wireshark

Go to the Wireshark main page to learn how to download and install Wireshark for your specific system.

Once complete, it should be possible to run Wireshark and at least get the start screen.

Note: For Linux, you may need to add yourself to wireshark group to run it without sudo with following command: sudo usermod -aG wireshark $(whoami)

Install BLE Sniffer Plugin

OK, finally, the thing we actually care about. The thing that will let us talk to the Adafruit BLE Sniffer and do some actual BLE sniffing. Let's download and install that BLE sniffing plugin!

Download Plugin from Nordic

Start by downloading the nRF Sniffer for BLE package from Nordic Semiconductor:

This will be a ZIP file. At the time of this guide, the version is 4.1.0.

Determine Wireshark Plugin Folder Location (extcap)

We need to install items from the ZIP file downloaded from Nordic into a specific Wireshark folder location.  This location is different on different systems. To determine it for your system, do this:

Open Wireshark, in the Help menu select About wireshark

In the Folders tab, find the "extcap" or "Personal Extcap" path

We'll refer to this folder location as the Wireshark extcap folder.

Install BLE Sniffer Plugin into Wireshark

To install the plugin, simply copy the files shown below from the ZIP downloaded from Nordic into the Wireshark extcap folder location determined above.

Open the ZIP file downloaded from Nordic:

We only need the contents of the extcap folder from the ZIP file.

Extract and copy all of the contents of the extcap folder to the Wireshark extcap folder location.

Final Check and Test Capture

OK, now we can test things out with some actual BLE sniffing! woot!

  • Plug in the Adafruit BLE Sniffer.
  • Launch Wireshark.
  • The sniffer should show up under the available capture devices.
  • Double click on the sniffer capture device.
  • This will open the device and start capturing.
  • If there is BLE traffic, it will be seen right away.
  • If there is no BLE traffic, it will look like this.
  • Note the device has opened properly and is sniffing, there's just nothing to be seen.

Next Steps

Once everything is working as shown above, you are ready to move on to working with these BLE packets.

This page will work with both V1 and V2 sniffer firmware, once you've got the software installed

Working with Wireshark

Once Wireshark has loaded, you should see the advertising packets streaming out from the selected BLE device at a regular interval, as shown in the image below:

One of the key benefits of WireShark as an analysis tool is that it understands the raw packet formats and provides human-readable displays of the raw packet data.

The main way to interact with BLE data packets is to select one of the packets in the main window, and then expand the Bluetooth Low Energy Link Layer treeview item in the middle of the UI, as shown below:

Clicking on the Advertising Data entry in the treeview will highlight the relevant section of the raw payload at the bottom of the screen, but also provides human readable information about the payload that can save you a lot of time trying to debug or reverse engineer a device.

We can see, for example, that the device is advertising itself as a Bluetooth Low Energy only device ('BR/EDR Not Supported'), with a TX Power Level of 0dBm, and a single service is being advertised using a 128-bit UUID (the UART service in this case).

Capturing Exchanges Between Two Devices

If you wish to sniff data being exchanged between two BLE devices, you will need to establish a connection between the original device we selected above and a second BLE device (such as an iPhone or an Android tablet with BLE capabilities).

The nRF-Sniffer firmware is capable is listening the all of the exchanges that happen between these devices, but can not connect with a BLE peripheral or central device itself (it's a purely passive device).

Scan Response Packets

If you open up nRF UART on an Android or iOS device, and click the Connect button, the phone or tablet will start scanning for devices in range.  One of the side effects of this scanning process is that you may spot a new packet in Wireshark on an irregular basis, the 'SCAN_REQ' and 'SCAN_RSP' packets:

The Scan Response is an optional second advertising packet that some Bluetooth Low Energy periperhals use to provide additional information during the advertising phase.  The normal mandatory advertising packet is limited to 31 bytes, so the Bluetooth SIG includes the possibility to request a second advertising payload via the Scan Request.

You can see both of these transactions in the image above, and the Device Name that is included in the Scan Response payload (since the 128-bit UART Service UUID takes up most of the free space in the main advertising packet).

For more information on Scan Responses and the advertising process in Bluetooth Low Energy see our Introduction to Bluetooth Low Energy Guide.

Connection Request

Once we click on the UART device in nRF UART, the two device will attempt to connect to each other by means of a Connection Request, which is initiated by the central device (the phone or tablet).

We can see this CONNECT_REQ in the timeline in the image below:

Write Request

Once the connection has been established, we can see that the nRF UART application tries to write data to the BLEFriend via a Write Request to handle '0x001E' (which is the location of an entry in the attribute table since everything in BLE is made up of attributes).

What this write request is trying to do is enable the 'notify' bit on the UART service's TX characteristic  (0x001E is the handle for the CCCD or 'Client Characteristic Configuration Descriptor'). This bit enables an 'interrupt' of sorts to tell the BLEFriend that we want to be alerted every time there is new data available on the characteristic that transmits data from the BLEFriend to the phone or tablet.

Regular Data Requests

At this point you will start to see a lot of regular Empty PDU requests.  This is part of the way that Bluetooth Low Energy works.

Similar to USB, all BLE transaction are initiated by the bus 'Main', which is the central device (the tablet or phone).

In order to receive data from the bus secondary (the peripheral device, or the BLEFriend in this particular case) the central device sends a 'ping' of sorts to the peripheral at a delay known as the 'connection interval' (not to be confused with the one-time connection highlighted earlier in this tutorial).

We can see pairs of transaction that happen at a reasonably consistent interval, but no data is exchanged since the BLEFriend (the peripheral) is saying 'sorry, I don't have any data for you':

Notify Event Data

To see an actual data transaction, we simply need to enter some text in our terminal emulator SW which will cause the BLEFriend to send the data to nRF UART using the UART service.

Entering the string 'This is a test' in the terminal emulator, we can see the first packet being sent below (only the 'T' character is transmitted because the packets are sent out faster than we enter the characters into the terminal emulator):

What this 4-byte 'Bluetooth Attribute Protocol' packet is actually saying is that attribute 0x001C (the location of the TX characteristic in the attribute table) has been updated, and the new value is '0x54', which corresponds to the letter 'T'.

Scrolling a bit further down we can see an example where more than one character was sent in a single transction ('te' in this case):

The results of this transaction in the nRF UART application can be seen below:

Closing Wireshark and nRF-Sniffer

When you're done debugging, you can save the session to a file for later analysis, or just close Wireshark right away and then close the nRF-Sniffer console window to end the debug session.

Moving Forward

A sniffer is an incredibly powerful and valuable tool debugging your own hardware, reverse engineering existing BLE peripherals, or just to learn the ins and outs of how Bluetooth Low Energy actually works on the a packet by packet level.

You won't learn everything there is to know about BLE in a day, but a good book on BLE, a copy of the Bluetooth 4.1 Core Specification and a sniffer will go a long way to teaching you most of the important things there is to know about BLE in the real world.

This guide was first published on Dec 22, 2021. It was last updated on 2021-12-19 23:31:01 -0500.