Ask Your Question
0

How to capture filter on BLE address?

asked 2018-08-23 14:23:36 +0000

johngriswold gravatar image

updated 2018-08-24 17:24:55 +0000

Guy Harris gravatar image

I'm using the AdaFruit BLE sniffer, along with a bunch of software so it can talk to Wireshark. I see BLE packets galore, but I'm interested only in the device I'm testing, not Bill's Android, or the TV, or the... I think everything has BT in it now.

So, I have been trying to filter for the MAC address to no avail. I've tried making filters that look like:

btle.access_address == 00:00:00:00:00:00 (i.e. "some MAC address")
btle.advertising_address == <some MAC address>

One of them does no apparent filtering, the other apparently causes the program distress in that it can't figure out the filter's meaning, I guess.

Can someone tell me what filter string to really use? (This has been a bane of mine in Wireshark from the very beginning, when I was using it on (gasp) wired Ethernet.

Thanks, John

edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted
0

answered 2019-03-19 10:48:27 +0000

I have been crazy trying to use a capture filter on BLE traffic. I have come to the, perhaps incorrect, conclusion that it is not possible.

My take is that Wireshark capture filters use the Berkeley Packet Filter syntax, which does not have any functions for filtering by BLE hardware addresses. Therefore it is not possible to use a capture filter, just a display filter. Is that correct? If so, I'll stop trying.

edit flag offensive delete link more

Comments

See the links in my answer below that has links to the different filters and their syntax.

grahamb gravatar imagegrahamb ( 2019-06-19 20:56:52 +0000 )edit

My take is that Wireshark capture filters use the Berkeley Packet Filter syntax

Yes, given that Wireshark (dumpcap, in particular) uses libpcap/WinPcap/Npcap to do packet capture.

which does not have any functions for filtering by BLE hardware addresses

...because nobody's changed pcap_compile() to support them; they could be added.

Guy Harris gravatar imageGuy Harris ( 2019-06-20 21:13:34 +0000 )edit
0

answered 2019-06-19 19:39:21 +0000

itsymbal gravatar image

updated 2019-06-20 12:42:29 +0000

grahamb gravatar image

this DISPLAY filter worked for me. To be clear, it's not a CAPTURE filter, but may help someone in the future:

bthci_evt.bd_addr == E9:BB:CE:CB:54:B8 || bthci_acl.dst.bd_addr == E9:BB:CE:CB:54:B8 ||bthci_acl.src.bd_addr == E9:BB:CE:CB:54:B8 ||bthci_cmd.bd_addr ==E9:BB:CE:CB:54:B8
edit flag offensive delete link more

Comments

This is a display filter, and won't work for capture filtering. See my answer below.

grahamb gravatar imagegrahamb ( 2019-06-19 20:56:11 +0000 )edit
0

answered 2018-08-23 14:38:51 +0000

grahamb gravatar image

Are you getting confused between:

The btle fields can only be used with Wireshark Display filters.

edit flag offensive delete link more

Comments

I am! Now I know the btle fields don't work for capture. Thank you.

johngriswold gravatar imagejohngriswold ( 2018-08-23 15:10:06 +0000 )edit

Nothing inherently prevents capture filters from existing for Bluetooth LE. To support it would require:

  1. Whatever software connects Wireshark to the Bluefruit sniffer to support libpcap's BPF interpreter and BPF compiler
  2. libpcap's compiler to support Bluetooth LE as a link-layer including the appropriate filter expressions.

The first of those would require the supplier of that software to change it; they should ask the tcpdump-workers mailing list, at [email protected], for help. The second of those would require libpcap changes; the same mailing list would be the place to ask for that. Please pass this information on to the supplier of that software (Nordic Semiconductor?).

Guy Harris gravatar imageGuy Harris ( 2019-06-20 01:51:48 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-08-23 14:23:36 +0000

Seen: 692 times

Last updated: Jun 20