Bluetooth connections sniffing

This resource consists on capturing traffic from a Bluetooth connection using specific hardware with the ability to intercept packets of third-party setup networks. It is a technique similar to the “monitor mode” in Wi-Fi.

This technique commonly captures packets from the Bluetooth “Link Layer” layer, i.e. “LMP” packets in BR/EDR and “LL” packets in BLE. Depending on the connection being monitored, it is possible that the captured packets are encrypted.

Bluetooth Sniffers

The following table lists some hardware and software that allows this technique to be performed. It is important to check the limitations of the projects below as many do not allow reliable capture of communications due to the channel hopping techniques used in Bluetooth.

Hardware Software Modes
Ubertooth Ubertooth tools BR* / EDR* / BLE
TI CC1352/CC26x2 Sniffle BLE 4.x / BLE 5
nRF51822 Btlejack BLE 4.x / BLE 5.x*
Bluefruit LE sniffer Btlejack BLE 4.x / BLE 5.x*
Micro:Bit Btlejack BLE 4.x / BLE 5.x*
nRF52840 nRF Sniffer BLE
PANalyzr - BR / EDR / BLE
Ellisys Bluetooth Vanguard - BR / EDR / BLE
Ellisys Bluetooth Explorer - BR / EDR / BLE
TeledyneLecroy Frontline X500 - BR / EDR / BLE

* Limited support. See product or project for more information.