• Bluetooth

Bluetooth

Bluetooth is not really a protocol but the name of a stack of protocols that are popular for building very small wireless networks. A common use for Bluetooth is for connecting mobile phone assessories but other applications also exists such as wireless mice and keyboards for computers etc.

History

XXX - add a brief description of Bluetooth history

Protocol dependencies

• HCI_H4: This is not a protocol but more an encapsulation format that wireshark implements.

At the lowest layer implemented in Wireshark, Bluetooth consists of 4 different types of frames:

• BTHCI_ACL: Asynchronous Connectionless traffic. (data)

• BTHCI_SCO: Synchronous Connectionoriented traffic. (voice)

• BTHCI_CMD: Commands

• BTHCI_EVT: Events

Example traffic

No.     Time        Source                Destination           Protocol Info
     11 5.731294                                                L2CAP    Sent Echo Request

Frame 11 (57 bytes on wire, 57 bytes captured)
Bluetooth HCI H4 Sent ACL Data
    Direction: Sent (0x00)
    HCI Packet Type: ACL Data (0x02)
Bluetooth HCI ACL Packet
    .... 0000 0010 1001 = Connection Handle: 0x0029
    ..10 .... .... .... = PB Flag: Start Fragment (2)
    00.. .... .... .... = BC Flag: Point-To-Point (0)
    Data Total Length: 52
Bluetooth L2CAP Packet
    Length: 48
    CID: 0x0001
    Command: Echo Request
        Command Code: Echo Request (0x08)
        Command Identifier: 0xc8
        Command Length: 44

Wireshark

The Bluetooth stack is partially implemented and Wireshark can dissect several of the layers and protocols of the stack.

There is a libpcap format defined for Bluetooth frames, and support in the top-of-tree CVS version of libpcap for capturing on Bluetooth devices in Linux; Wireshark, if linked with that version of libpcap, would be able to capture on Bluetooth devices. (As no official release of libpcap supporting Bluetooth has been made yet, the libpcap in most if not all Linux distributions doesn't support capturing on Bluetooth devices, so you would have to build libpcap from CVS or a CVS snapshot, install it, and build Wireshark with that version of libpcap in order to capture on Bluetooth devices.) Wireshark can also read captures in that format.

In additon, Wireshark can read capture files created by the HCIDUMP utility that is available with the Linux and (I think) the BSD Bluetooth stack.

Example capture file

• SampleCaptures/l2ping.cap (Linux BlueZ hcidump) Contains some Bluetooth packets captured using hcidump, the packets were from the l2ping command that's included with the Linux BlueZ stack.

• SampleCaptures/Bluetooth1.cap (Linux BlueZ hcidump) Contains some Bluetooth packets captured using hcidump.

• tcpdumpBluetooth.pcap (libpcap) Capture created by the Bluetooth-sniffing feature in the latest libpcap/tcpdump CVS.

External links

• https://www.bluetooth.org/spec/ Specifications

• https://www.bluetooth.org/ the Official Bluetooth Membership Site

• http://www.bluetooth.com/bluetooth/ The Official Bluetooth Wireless Info Site

• http://en.wikipedia.org/wiki/Bluetooth A very good Wikipedia article about Bluetooth

• http://www.bluez.org/ Linux Bluetooth implementation

Discussion