Bluetooth
Bluetooth is not really a protocol but the name of a stack of protocols that are popular for building very small wireless networks. A common use for Bluetooth is for connecting mobile phone accessories but other applications also exists such as wireless mice and keyboards for computers etc.
History
XXX - add a brief description of Bluetooth history
Protocol dependencies
HCI_H4: This is not a protocol but more an encapsulation format that wireshark implements.
At the lowest layer implemented in Wireshark, Bluetooth consists of 4 different types of frames:
BTHCI_ACL: Asynchronous Connectionless traffic. (data)
BTHCI_SCO: Synchronous Connection Oriented traffic. (voice)
BTHCI_CMD: Commands
BTHCI_EVT: Events
Example traffic
No. Time Source Destination Protocol Info
11 5.731294 L2CAP Sent Echo Request
Frame 11 (57 bytes on wire, 57 bytes captured)
Bluetooth HCI H4 Sent ACL Data
Direction: Sent (0x00)
HCI Packet Type: ACL Data (0x02)
Bluetooth HCI ACL Packet
.... 0000 0010 1001 = Connection Handle: 0x0029
..10 .... .... .... = PB Flag: Start Fragment (2)
00.. .... .... .... = BC Flag: Point-To-Point (0)
Data Total Length: 52
Bluetooth L2CAP Packet
Length: 48
CID: 0x0001
Command: Echo Request
Command Code: Echo Request (0x08)
Command Identifier: 0xc8
Command Length: 44
Wireshark
The Bluetooth stack is partially implemented and Wireshark can dissect several of the layers and protocols of the stack.
There is a libpcap format defined for Bluetooth frames, and support in libpcap 1.0.0 and later for capturing on Bluetooth devices in Linux; Wireshark, if linked with that version of libpcap, is able to capture on Bluetooth devices. (In Linux distributions that come with pre-1.0.0 versions of libpcap, libpcap doesn't support capturing on Bluetooth devices, so you would have to get libpcap 1.0.0 or later from tcpdump.org, install it, and build Wireshark with that version of libpcap in order to capture on Bluetooth devices. As of 2009-01-27, Gentoo Linux has libpcap with Bluetooth support in its mainline repository (portage).) Wireshark can also read captures in that format.
The original pcap format didn't store whether the packet was being sent or received (bug 1751). A newer file format includes the direction information as a 4-byte field where bit0 is set if the packet was 'received', see LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR at LINK-LAYER HEADER TYPES. Note that this field is big-endian even if the pcap file has been written in little-endian everywhere else (Development/LibpcapFileFormat). The original format uses protocol id LINKTYPE_BLUETOOTH_HCI_H4 and the new format uses LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR (LINK-LAYER HEADER TYPES).
In addition, Wireshark can read capture files created by the HCIDUMP utility that is available with the Linux and (I think) the BSD Bluetooth stack, and can also read capture files from the Mac OS X PacketLogger Bluetooth logger application. Other platforms that can create capture files include the following. The .NET library 32feet.NET produces libpcap captures when using the Stonestreet One Bluetopia stack on Windows Mobile, see the Diagnostics section in its documentation at 32feet.NET: Stonestreet One Bluetopia stack.
Example capture file
SampleCaptures/l2ping.cap (Linux BlueZ hcidump) Contains some Bluetooth packets captured using hcidump, the packets were from the l2ping command that's included with the Linux BlueZ stack.
SampleCaptures/Bluetooth1.cap (Linux BlueZ hcidump) Contains some Bluetooth packets captured using hcidump.
tcpdumpBluetooth.pcap (libpcap) Capture created by the Bluetooth-sniffing feature in the latest libpcap/tcpdump CVS.
External links
https://www.bluetooth.org/spec/ Specifications
https://www.bluetooth.org/ the Official Bluetooth Membership Site
http://www.bluetooth.com/bluetooth/ The Official Bluetooth Wireless Info Site
http://en.wikipedia.org/wiki/Bluetooth A very good Wikipedia article about Bluetooth
http://www.bluez.org/ Linux Bluetooth implementation