First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to capture filter on BLE address?

  • retag add tags

I'm using the AdaFruit BLE sniffer, along with a bunch of software so it can talk to Wireshark. I see BLE packets galore, but I'm interested only in the device I'm testing, not Bill's Android, or the TV, or the... I think everything has BT in it now.

So, I have been trying to filter for the MAC address to no avail. I've tried making filters that look like:

btle.access_address == 00:00:00:00:00:00 (i.e. "some MAC address")
btle.advertising_address == <some MAC address>

One of them does no apparent filtering, the other apparently causes the program distress in that it can't figure out the filter's meaning, I guess.

Can someone tell me what filter string to really use? (This has been a bane of mine in Wireshark from the very beginning, when I was using it on (gasp) wired Ethernet.

Thanks, John

johngriswold's avatar
1
johngriswold
asked 2018-08-23 14:23:36 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2018-08-24 17:24:55 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

Are you getting confused between:

The btle fields can only be used with Wireshark Display filters.

grahamb's avatar
23.8k
grahamb
answered 2018-08-23 14:38:51 +0000
edit flag offensive 0 remove flag delete link
more

Comments

I am! Now I know the btle fields don't work for capture. Thank you.

johngriswold's avatar johngriswold (2018-08-23 15:10:06 +0000) edit
more
  • delete

Nothing inherently prevents capture filters from existing for Bluetooth LE. To support it would require:

  1. Whatever software connects Wireshark to the Bluefruit sniffer to support libpcap's BPF interpreter and BPF compiler
  2. libpcap's compiler to support Bluetooth LE as a link-layer including the appropriate filter expressions.

The first of those would require the supplier of that software to change it; they should ask the tcpdump-workers mailing list, at [email protected], for help. The second of those would require libpcap changes; the same mailing list would be the place to ask for that. Please pass this information on to the supplier of that software (Nordic Semiconductor?).

Guy Harris's avatar Guy Harris (2019-06-20 01:51:48 +0000) edit
more
  • delete
add a comment see more comments
0

this DISPLAY filter worked for me. To be clear, it's not a CAPTURE filter, but may help someone in the future:

bthci_evt.bd_addr == E9:BB:CE:CB:54:B8 || bthci_acl.dst.bd_addr == E9:BB:CE:CB:54:B8 ||bthci_acl.src.bd_addr == E9:BB:CE:CB:54:B8 ||bthci_cmd.bd_addr ==E9:BB:CE:CB:54:B8
itsymbal's avatar
1
itsymbal
answered 2019-06-19 19:39:21 +0000
grahamb's avatar
23.8k
grahamb
updated 2019-06-20 12:42:29 +0000
edit flag offensive 0 remove flag delete link
more

Comments

This is a display filter, and won't work for capture filtering. See my answer below.

grahamb's avatar grahamb (2019-06-19 20:56:11 +0000) edit
more
  • delete
add a comment see more comments
0

I have been crazy trying to use a capture filter on BLE traffic. I have come to the, perhaps incorrect, conclusion that it is not possible.

My take is that Wireshark capture filters use the Berkeley Packet Filter syntax, which does not have any functions for filtering by BLE hardware addresses. Therefore it is not possible to use a capture filter, just a display filter. Is that correct? If so, I'll stop trying.

rlkeith's avatar
1
rlkeith
answered 2019-03-19 10:48:27 +0000
edit flag offensive 0 remove flag delete link
more

Comments

See the links in my answer below that has links to the different filters and their syntax.

grahamb's avatar grahamb (2019-06-19 20:56:52 +0000) edit
more
  • delete

My take is that Wireshark capture filters use the Berkeley Packet Filter syntax

Yes, given that Wireshark (dumpcap, in particular) uses libpcap/WinPcap/Npcap to do packet capture.

which does not have any functions for filtering by BLE hardware addresses

...because nobody's changed pcap_compile() to support them; they could be added.

Guy Harris's avatar Guy Harris (2019-06-20 21:13:34 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer