Setting up nRF Sniffer for Bluetooth LE
In this chapter, we will go through how to set up nRF Sniffer and verify that it functional by sniffing a Bluetooth LE packet.
nRF Sniffer has a comprehensive documentation on how to setup the nRF Sniffer on your computer. Since the time of writing this chapter the way of installing nRF Sniffer has been changed. You can either follow the linked documentation to use nrfutil tool to install the Sniffer for your or you can continue with the manual installation described in this document. It’s recommended to follow the instruction in the nRFSniffer’s documentation linked above as it should contain the most up-to-date installation instructions.
Programming the nRF Sniffer firmware
The nRF Sniffer firmware supports the following boards:
- nRF52840 DK
- nRF52840 Dongle
- nRF52833 DK
- nRF52 DK
- nRF51 DK
- nRF51 Dongle
Important
Due to a recent update of the nRF52833 DK version 3 and nRF52840 DK version 3, the new Interface IC on the DK is not fully compatible with the nRF Sniffer software. If you have an nRF52840DK v3, you will need to use the nRF USB port instead of the Interface IC USB port. The nRF52833 DK v3 is not compatible with the sniffer software at the moment, so you will need to use another DK as the sniffer backend. nRF52833 DK v2 and earlier works fine.
Download the firmware
1. Download nRF Sniffer for Bluetooth LE v4.x or later and extract the contents of the zip file into a folder of your choice.
In the following sections, this folder is referred to as Sniffer_Software.
All the firmware HEX files are located in Sniffer_Software/hex.
| Development kit/dongle | Firmware file name |
|---|---|
| nRF52840 DK | sniffer_nrf52840dk_nrf52840_*.hex |
| nRF52840 Dongle | sniffer_nrf52840dongle_nrf52840_*.hex |
| nRF52833 DK | sniffer_nrf52833dk_nrf52833_*.hex |
| nRF52 DK | sniffer_nrf52dk_nrf52832_*.hex |
| nRF51 DK | sniffer_nrf51dk_nrf51422_*.hex |
| nRF51 Dongle | sniffer_nrf51dongle_nrf51422_*.hex |
2. Open up nRF Connect for Desktop and install and launch the Programmer application.
On macOS and Linux: install the SEGGER J-Link software before proceeding to the next step.
If you are running an M1-based Mac, you must install the Intel/x86 variants of J-Link.
3. In the upper left hand corner, select the board you are using as the Bluetooth LE sniffer.
4. Select Add file and Browse, then navigate to Sniffer_Software/hex and select the file that applies to the hardware you are using, see the table above. Select Open.
5. Click Erase & write to flash the firmware to your board.
Installing Wireshark
This will explain the installation process for Windows and macOS. For instructions on Ubuntu Linux, see Installing Wireshark on Ubuntu Linux.
1. Go to the Wireshark download page.
2. In the Stable Release list at the top of the page, select the release package for your operating system.
The download should start automatically.
3. Open up the file when it’s finished downloading, and follow the instructions to download Wireshark.
Wireshark is an open-source packet analyzer, and can be used for many different protocols. To use it with the nRF Sniffer firmware, we offer an external capture plugin to use with Wireshark.
Installing the nRF Sniffer capture tool
The nRF Sniffer capture tool comes either as stand alone tool or as an external capture plugin for Wireshark.
1. Install nRF Sniffer command.
1.1 Open a command window and navigate to the folder Sniffer_Software/extcap.
1.2 Run the following commands to install Python’s requirements (make sure you have Python v3.6 or later installed on your computer):
pip3 install -r requirements.txt
2. Copy the nRF Sniffer capture tool into Wireshark
2.1 Open Wireshark
2.2 Go to Help > About Wireshark (on Windows or Linux) or Wireshark > About Wireshark (on macOS).
2.3 Select the Folders tab.
2.4 Double-click the location for the Personal Extcap path to open this folder.
You may be prompted with a notice saying The directory does not exist. Click Yes to create it.
2.5 Copy the contents of the Sniffer_Software/extcap/ folder into this folder.
3. Enable the nRF Sniffer capture tool in Wireshark.
3.1 Refresh the interfaces in Wireshark by selecting Capture > Refresh Interfaces or pressing F5.
3.2 Select View > Interface Toolbars > nRF Sniffer for Bluetooth LE to enable the nRF Sniffer interface.
You should see that nRF Sniffer is displayed as one of the interfaces on the Wireshark capture screen, and you should see the nRF Sniffer toolbar.
Running the nRF Sniffer
1. To start sniffing, make sure the nRF Sniffer (your DK or dongle running the nRF Sniffer firmware) is turned on and place it between the two devices that are communicating over Bluetooth LE.
2. In Wireshark, under Capture, double-click on the hardware interface nRF Sniffer for Bluetooth LE COM port, see below
3. Wireshark should now look something like the image below, listing all Bluetooth LE packets in radio range.
Explaining Wireshark in Live Capture
Before proceeding to the exercise portion of this lesson, let’s explain what we are seeing in the Wireshark window.
Your window should be divided into three parts, the packet list, packet details and packet bytes.
If you cannot see all three windows, select View and make sure the following three lines are checked off
- Packet List: Displays all the packets in the current capture session. Each line corresponds to one packet, and if you select a line, more details about the packet will be displayed in the “Packet Details” and “Packet Bytes” panes, below.
- Packet Details: Shows the current packet, selected in the Packet List window, in a more detailed form.
- Packet Bytes: Shows the data of the current packet, selected in the Packet List window, in a hexdump style.
Clicking on a specific section of the data in the Packet Bytes window will show where in the Packet Details window. And similarly, selecting a header in the Packet Details window, will show where in the data this information is defined, in the Packet Bytes window.
Columns in the Packet List window
Let’s take a look at the columns in the Packet List window. Your column headers should look like this
If you are missing any of the column headers, go to the Packet Details window and expand nRF Sniffer for Bluetooth LE. Then right-click on any of the parameters you are missing, select Apply as Column and it will show up in the main view as a column.
Now you should have the following column headers in your live capture view.
- No.: The packet number, incremented for every packet the sniffer captures.
- Time: The timestamp for when the packet was captured, relative to how long the sniffer has been running.
- Source: The address of the device that the packet came from.
- Protocol: Which Bluetooth LE stack layer the packet came from, most will come from the link layer (LE LL). Connection parameter updates come from L2CAP, while GATT operations come from the ATT layer, and packets having to do with encrypting and pairing come from SMP.
- Length: The number of bytes captured in the packet.
- Event counter: The instant number of each connection event starting from 0 when the connection is established.
- Channel Index: Channel number the packet was captured on.
- Delta time (start to start): The time between the start of the previous packet until the start of the current packet. It’s often used to count the distance between each connection event, and very close to the actual connection interval.
- Info: Information about the packet.
You are now ready for the exercise portion of this lesson, where we will go into more detail on what you are seeing.
Important
If you have issues setting up the nRF Sniffer, there is a Troubleshooting section from the documentation that you can take a look at.
