Bluetooth connections sniffing

This resource consists on capturing traffic from a Bluetooth connection using specific hardware with the ability to intercept packets of third-party setup networks. It is a technique similar to the “monitor mode” in Wi-Fi.

This technique commonly captures packets from the Bluetooth “Link Layer” layer, i.e. “LMP” packets in BR/EDR and “LL” packets in BLE. Depending on the connection being monitored, it is possible that the captured packets are encrypted.

Bluetooth Sniffers

The following table lists some hardware and software that allows this technique to be performed. It is important to check the limitations of the projects below as many do not allow reliable capture of communications due to the channel hopping techniques used in Bluetooth.

HardwareSoftwareModes
UbertoothUbertooth toolsBR* / EDR* / BLE
TI CC1352/CC26x2SniffleBLE 4.x / BLE 5
nRF51822BtlejackBLE 4.x / BLE 5.x*
Bluefruit LE snifferBtlejackBLE 4.x / BLE 5.x*
Micro:BitBtlejackBLE 4.x / BLE 5.x*
nRF52840nRF SnifferBLE
PANalyzr-BR / EDR / BLE
Ellisys Bluetooth Vanguard-BR / EDR / BLE
Ellisys Bluetooth Explorer-BR / EDR / BLE
TeledyneLecroy Frontline X500-BR / EDR / BLE

* Limited support. See product or project for more information.