If you are having issues with the exercises, please create a ticket on DevZone:
Click or drag files to this area to upload. You can upload up to 2 files.

Exercise 1

Capture and analyze Bluetooth advertising packets

This exercise builds on the firmware we made in Exercise 2 of Lesson 2, where the peripheral advertised in scannable, non-connectable mode, and we also made a scan response packet containing a URL.

We will use the sniffer to capture advertising packets and analyze the content of the advertising packet, as well as the scan request packet and scan response packet.

Exercise steps

In the GitHub repository for this course, go to the code for this exercise, found in lesson6/blefund_less6_exer1.

Note that this is the same firmware as the solution to exercise 2 found in lesson2/blefund_less2_exer2_solution.

1. Build and flash the application on your board.

LED1 on your board should be blinking, indicating that your board is advertising.

2. Run the sniffer on Wireshark

Open Wireshark. Under Capture, double-click on the hardware interface nRF Sniffer for Bluetooth LE COM port, just like we did when setting up nRF Sniffer.

3. Filter advertising packets from “Nordic_Beacon

You may notice that the captured advertising packets are from multiple different advertising devices.

Let’s filter these out, by clicking on the Device drop-down list to find the “Nordic_Beacon“.


If the name of the advertiser is not shown, you can also look for the address. You can find the address of the device in nRF Connect for Mobile (on Android).

Now you should only see the advertising packets from this device, including the scan requests and scan response related to this device.

Make sure that the “Automatic Scroll” function is enabled to always see the latest packets


Since the peripheral in exercise 2 from lesson 2 uses a randomly generated address that is assigned boot-up, resetting the device will give it a new address. The sniffer won’t be able to track that, so you will need to select “All advertising devices” to track all advertisers and then select the new Nordic_Beacon device with the new address.

4. (optional) Apply an RSSI filter for the Capture interface

If you are working in a dense environment, with many Bluetooth LE devices, this list of devices can be quite long. In the next step, we will filter out these devices based on their vicinity to the sniffer, using the RSSI. If you don’t have a problem with too many devices, you can skip straight to step 5.

Let’s apply a filter for the capture interface, based on the RSSI, or Received Signal Strength Indicator, of the advertising packets.

4.1 Close and re-open Wireshark, to see the Capture menu again

4.2 In the Capture interface selection, type in rssi >= -50

Make sure to click on nRF Sniffer for Bluetooth LE COM port before typing in the filter. Otherwise, the bar will turn red.

This will filter out all Bluetooth LE packets that have RSSI smaller than -50dBm

4.3 Start the sniffer again, and you should see much fewer devices in the Device drop-down list.

5. Inspect the broadcasted advertising packets

1. First, observe that the advertising packets are of type ADV_SCAN_IND, which is non-connectable and scannable. This means the advertiser will accept scan request, but not connection requests.

2. Notice that the advertising packets are broadcasted consecutively on the three advertising channels 37, 38 and 39.

Another thing to note, in the Delta time column, is that the advertising interval is roughly 500 ms. The three packets are relatively close together, with around 1.5ms between them, and then about 500ms later, another cluster of three advertising packets are sent.

Notice the slight difference in the delta time between each advertising event. It’s not exactly 500ms between them. This is because of the 10ms random delay added to each advertising event to avoid continuous collisions if two advertisers have the same advertising interval.

6. Inspect the contents of an advertising packet

Let’s inspect an advertising packet, by clicking on a ADV_SCAN_IND packet from the Nordic_Beacon device.

The bottom half of your window (the Packet Details and Packet Bytes window) will now be updated to show this advertising packet.

Inspecting an advertising packet

Expand Bluetooth Low Energy Link Layer and Advertising Data. Clicking on the different subitems (Flags, Device Name, Manufacturer Specific) will highlight in which part of the packet this data is.

We can match the advertising data in binary to the format we learned in Lesson 2. Recall that the advertising data consists of multiple advertising data structures, starting with the length followed by the type and then the content.

In this case, we can see 0x02 0x01 0x04 is the first advertising structure. In this we have the length is 0x02 byte, the type is 0x01 (meaning it’s a flag) and the value of the flag is BT_LE_AD_NO_BREDR (0x04). You can find the same pattern repeated with the Manufacturer Specific data, starting with the length 0x05, then the type 0xFF (Manufacturer Specific), and the actual contents which consist of the Company ID (0x0059) and then the Data 0x0000.

7. Inspect the scan response packet

To inspect a scan response packet, we need the central, i.e your smartphone, to send a scan request packet to the advertiser.

7.1 Open the nRF Connect for Mobile application and start scanning. This will trigger the phone to automatically send a scan request.

The SCAN_REQ (Scan Request) from the scanner is sent after an advertising packet (in this case on channel 39) and it is followed by a SCAN_RSP (Scan Response) from the advertiser. Both SCAN_REQ and SCAN_RSP is performed on the same channel as the advertising packet it follows.

7.2 Select the SCAN_RSP packet to inspect the contents.

You can find the same pattern of the advertising structure here. It starts with the length 0x1A (26 bytes) followed by type 0x24 (which is URI) and then the actual data which is the URL: //

8. Observe the dynamic data being updated

Recall from lesson 2 exercise 2, that we learned how to dynamically change the contents of the advertising data, triggered by pressing button 1.

8.1 Select any of the advertising packets, ADV_SCAN_IND, and observe the Manufacturer Specific data value of 0x0000.

8.2 Now press button 1 on the board acting as the peripheral

8.3 Inspect a new advertising packet

Observe that the contents of the advertising packets will now be updated, to 0x0100.

Each time you press button 1 on the board that is advertising, the value of the Manufacturer Specific Data will be increased by one.


Bluetooth LE uses little endianness to represent the data in GAP and GATT layers, which is why it increments from 0x00 00 to 0x01 00, etc.

Register an account
Already have an account? Log in
(All fields are required unless specified optional)

  • 8 or more characters
  • Upper and lower case letters
  • At least one number or special character

Forgot your password?
Enter the email associated with your account, and we will send you a link to reset your password.