Working with bluetooth communications can be tedious and frusterating. It can often be invaluable to be able to know exactly how many packets were sent and exactly to what device. Or perhaps you are just curious about what the heck goes back and forth between your phone and those fancy BT mesh lightbulbs? 😉 Follow these instructions to sniff your phone’s bluetooth traffic!
You will need:
- Android phone running version 4.4 or later
- Android phone in Developer Mode
- Bluetooth HCI (Host Controller Interface) Snoop Log enabled on Android phone
- Download and install Wireshark (https://www.wireshark.org/) on your dev computer
- An easy way to move a file from the android phone to your dev computer. I use Google Drive.
The Android phone needs to be in developer mode. In the developer menu, the Bluetooth HCI Snoop Log setting needs to be enabled. This setting will generate a log file of all of the bluetooth activity in and out of the phone with great detail. However, you need to enable the setting and THEN TOGGLE THE BLUETOOTH ON/OFF in order to get the file/folder to be initialized.
Various versions of the Android operating system can write the btsnoop file/folder in slightly different places. Go to “Files” and search for “btsnoop”. The log files should have a .cfa extension. You may need to go into the settings and toggle on “show internal storage” to get the files/folder to show up. Each time you turn on and off your bluetooth radio, a new file is generated in this btsnoop folder.
PRO TIP: If you get everything ready to capture, then turn your bluetooth radio on and off right before you are ready to perform the bt action that you want to sniff, you won’t have to scroll through a million lines of log file.
To move the .cfa log file to your computer, you could use something like Dropbox, or browse the android file system from your laptop. I just shared the file to my Google Drive and then downloaded it to my laptop. My favor of Android had a Share button in the toolbar that made this very, very easy.
Once you have ported the .cfa log file to your computer, open it in Wireshark (https://www.wireshark.org/). Wireshark is a pretty cool tool. You can click on each of the log entries and see amazing detail on the message, down to the octet, in many cases.
The screen cap above shows one of the many steps in provisioning a bluetooth mesh Sylvania lightbulb. The Android phone is a OnePlus 7Pro. In this step, the lightbulb is reporting back to the phone all of its capabilities. The message consists of a series of 1-2 octet codes, each for a various authentication setting. I was SUPER impressed that Wireshark had built into their UI, EXACTLY what to expect with each of the codes. Awesome!
Happy coding and don’t forget to disable the HCI Snoop Log setting when you are done!