This wiki has been migrated to https://gitlab.com/wireshark/wireshark/-/wikis/home and is now deprecated. Please use that site instead.
Differences between revisions 5 and 6
Revision 5 as of 2006-11-12 19:48:23
Size: 3427
Editor: GuyHarris
Comment: Clarify what's happening with libpcap and Bluetooth.
Revision 6 as of 2008-04-12 17:50:58
Size: 3449
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 14: Line 14:
 * ["HCI_H4"]: This is not a protocol but more an encapsulation format that wireshark implements.  * [[HCI_H4]]: This is not a protocol but more an encapsulation format that wireshark implements.
Line 17: Line 17:
 * ["BTHCI_ACL"]: Asynchronous Connectionless traffic. (data)
 * ["BTHCI_SCO"]: Synchronous Connectionoriented traffic. (voice)
 * ["BTHCI_CMD"]: Commands
 * ["BTHCI_EVT"]: Events
 * [[BTHCI_ACL]]: Asynchronous Connectionless traffic. (data)
 * [[BTHCI_SCO]]: Synchronous Connectionoriented traffic. (voice)
 * [[BTHCI_CMD]]: Commands
 * [[BTHCI_EVT]]: Events
Line 55: Line 55:
 * attachment:SampleCaptures/l2ping.cap (Linux BlueZ hcidump) Contains some ["Bluetooth"] packets captured using hcidump, the packets were from the l2ping command that's included with the Linux BlueZ stack.
 * attachment:SampleCaptures/Bluetooth1.cap (Linux BlueZ hcidump) Contains some ["Bluetooth"] packets captured using hcidump.
 * attachment:tcpdumpBluetooth.pcap (libpcap) Capture created by the ["Bluetooth"]-sniffing feature in the latest libpcap/tcpdump CVS.
 * [[attachment:SampleCaptures/l2ping.cap]] (Linux BlueZ hcidump) Contains some [[Bluetooth]] packets captured using hcidump, the packets were from the l2ping command that's included with the Linux BlueZ stack.
 * [[attachment:SampleCaptures/Bluetooth1.cap]] (Linux BlueZ hcidump) Contains some [[Bluetooth]] packets captured using hcidump.
 * [[attachment:tcpdumpBluetooth.pcap]] (libpcap) Capture created by the [[Bluetooth]]-sniffing feature in the latest libpcap/tcpdump CVS.
Line 60: Line 60:
 * [https://www.bluetooth.org/spec/] Specifications
 * [https://www.bluetooth.org/] the Official Bluetooth Membership Site
 * [http://www.bluetooth.com/bluetooth/] The Official Bluetooth Wireless Info Site
 * [http://en.wikipedia.org/wiki/Bluetooth] A very good Wikipedia article about Bluetooth
 * [http://www.bluez.org/] Linux Bluetooth implementation
 * [[https://www.bluetooth.org/spec/]] Specifications
 * [[https://www.bluetooth.org/]] the Official Bluetooth Membership Site
 * [[http://www.bluetooth.com/bluetooth/]] The Official Bluetooth Wireless Info Site
 * [[http://en.wikipedia.org/wiki/Bluetooth]] A very good Wikipedia article about Bluetooth
 * [[http://www.bluez.org/]] Linux Bluetooth implementation

Bluetooth

Bluetooth is not really a protocol but the name of a stack of protocols that are popular for building very small wireless networks. A common use for Bluetooth is for connecting mobile phone assessories but other applications also exists such as wireless mice and keyboards for computers etc.

History

XXX - add a brief description of Bluetooth history

Protocol dependencies

  • HCI_H4: This is not a protocol but more an encapsulation format that wireshark implements.

At the lowest layer implemented in Wireshark, Bluetooth consists of 4 different types of frames:

Example traffic

No.     Time        Source                Destination           Protocol Info
     11 5.731294                                                L2CAP    Sent Echo Request

Frame 11 (57 bytes on wire, 57 bytes captured)
Bluetooth HCI H4 Sent ACL Data
    Direction: Sent (0x00)
    HCI Packet Type: ACL Data (0x02)
Bluetooth HCI ACL Packet
    .... 0000 0010 1001 = Connection Handle: 0x0029
    ..10 .... .... .... = PB Flag: Start Fragment (2)
    00.. .... .... .... = BC Flag: Point-To-Point (0)
    Data Total Length: 52
Bluetooth L2CAP Packet
    Length: 48
    CID: 0x0001
    Command: Echo Request
        Command Code: Echo Request (0x08)
        Command Identifier: 0xc8
        Command Length: 44

Wireshark

The Bluetooth stack is partially implemented and Wireshark can dissect several of the layers and protocols of the stack.

There is a libpcap format defined for Bluetooth frames, and support in the top-of-tree CVS version of libpcap for capturing on Bluetooth devices in Linux; Wireshark, if linked with that version of libpcap, would be able to capture on Bluetooth devices. (As no official release of libpcap supporting Bluetooth has been made yet, the libpcap in most if not all Linux distributions doesn't support capturing on Bluetooth devices, so you would have to build libpcap from CVS or a CVS snapshot, install it, and build Wireshark with that version of libpcap in order to capture on Bluetooth devices.) Wireshark can also read captures in that format.

In additon, Wireshark can read capture files created by the HCIDUMP utility that is available with the Linux and (I think) the BSD Bluetooth stack.

Example capture file

Discussion

Bluetooth (last edited 2018-12-20 23:19:52 by GuyHarris)