Tracing Bluetooth With Wireshark and Hcidump

Did you know that there's a very easy way to trace the Bluetooth interface between a PC and a Bluetooth dongle on a Linux PC and visualize the result with Wireshark? I didn't and also searching for it on the net only revealed bits and pieces of the puzzle on different web sites. So here's a quick overview of how it all fits together.

Many Linux distributions (such as Ubunutu) ship with the Bluez Bluetooth stack. Part of the stack are a number of very helpful command line tools. Have a look at 'hcitool' (HCI stands for Host Controler Interface, a term defined in the Bluetooth specs) to get general information about connected devices and 'hciconfig' to learn more about the capabilities of the Bluetooth chip in the PC. The most useful tool, however, is 'hcidump' that can be used to trace all Bluetooth messages that are passed between the PC and the Bluetooth chip. On my Ubuntu 12.04 LTS the 'hcidump' tool wasn't installed by default but a simple 'apt-get install bluez-hcidump' does the trick.

'hcidump -X' does some basic level decoding of the messages and outputs the result in real time to the console which is an interesting first step. For more details use the 'hcidump -w filename' command to dump the raw data flow into a file. The file can then be opened in Wireshark without any conversion necessary for full decoding. The two images on the left show how a message looks like in Wireshark that establishes 'HID Interrupt Channel' for a Bluetooth keyboard and how a message looks like that is transmitted to the PC when a key is pressed on the keyboard.

When you use Wireshark make sure you have the latest version as its Bluetooth decoding capabilities have been significantly extended in the past two years. Older versions such as the one included in the Ubuntu 12.04 LTS repository can only partly decode a frame. Compiling and configuring the latest Wireshark version is a bit of a tricky thing though and I'll describe the details of that in a follow up post.