A BLE sniffer (also known as a Bluetooth protocol analyzer) acts as a passive listening
device that captures BLE packets sent over the air from various devices within
the direct radio range. This is very helpful when you need to debug communication
between devices without interfering with and affecting the communication between them.
This tool is also very useful when you have a device with an unknown protocol and a
mobile application. The sniffer helps to understand the device's protocol and to implement
it in your application.
Of course, you can use such a device with any third-party application, but it can be a really good idea to have this feature available for your application as well. For example, you may need your own protocol analyzer or any additional data decoding, which is usually hard or even impossible to add to the third-party applications. Fortunately, the Bluetooth Framework solves this problem. It provides the class that allows your application to sniff all the Bluetooth LE communication between BLE-enabled devices. However, there are some prerequisites that are described below.
How It Works
A BLE sniffer captures packets in two main scenarios:
- Advertising mode: It captures advertising packets (mainly on the primary advertising channels 37, 38, and 39).
- Connection mode: It captures raw packet data exchanged between two Bluetooth LE devices during a connection (the remaining 37 channels: 0 through 36).
The Bluetooth Framework includes the BleSniffer sample application that can be used as a starting point to develop your own Bluetooth LE sniffing application and to test the Bluetooth Framework BLE sniffer solution. After starting the BleSniffer sample application, you should provide the advertising channel number. It can be channel 37, 38, or 39. After starting the capturing process, the application will report all received BLE packets. Once the connection request is captured, the sniffer will automatically follow the channel changes to capture control and data frames. The Bluetooth Framework BLE sniffer can decode the following advertising PDUs:
- ADV_IND
- ADV_DIRECT_IND
- ADV_NONCONN_IND
- SCAN_REQ
- SCAN_RSP
- CONNECT_IND
- ADV_SCAN_IND
The data PDUs and any other unknown packets are reported as raw byte streams and can be decoded by your application. If you need to add any other PDUs decoding, please contact us, and we will do our best to add the required decoding.
PREREQUISITES
HARDWARE
The Bluetooth Framework BLE sniffer implementation requires the CC2540-based Bluetooth LE USB dongle. It is recommended to use the CC2540EMK-USB TI dongle as it is shipped with pre-flashed required firmware. However, you can use any China clone from AliExpress or any other CC2540-based USB dongle. The required firmware can be found on the Texas Instruments site.
Drivers
By default, the dongle uses the proprietary (Cebal) driver. To be able to use it with the Bluetooth Framework, the WinUSB driver is required. Here are the detailed instructions on how to install the WinUSB driver for that dongle.
- 1. Download Zadig.
- 2. Start the Zaig application.
- 3. Make sure that the List All Devices menu item is checked in the Options menu.
- 4. Select CC2540 USB Dongle in the drop down list box
- 5. Make sure that the source driver is Cebal (blue circle on the picture above).
- 6. Make sure that the target driver is WinUSB (green circle on the picture above).
- 7. Click the Replace Driver button.
- 8. Once driver installation finished you will see the "The driver was installed successfully."
message.
Now you can use your CC2540 USB dongle to capture Bluetooth LE communications. To revert the original driver back:
- 1. Open the Device Manager
- 2. Find the CC2540 USB Dongle device under the USB Devices node.
- 3. Delete the device.
- 4. Refrsh devices. This re-found the device and installs the original Cebal driver.