nRF Sniffer for Bluetooth LE v4.1.0

nRF Sniffer usage

Once the nRF Sniffer for Bluetooth® LE is running, it reports advertisements and lists nearby devices in the Device List. The software interface has several commands for controlling the operating mode of the nRF Sniffer.

Note: The nRF Sniffer might not pick up all connect requests and does not always pick up on a connection. In such cases, reconnect and try sniffing again. If you do not see any activity in your Wireshark console, see Troubleshooting.

The nRF Sniffer has two modes of operation:

  1. Listen on all advertising channels to pick up as many packets as possible from as many devices as possible. This is the default mode.
  2. Follow one particular device and try to catch all packets sent to or from this particular device. This mode catches all:
    • Advertisements and Scan Responses sent from the device
    • Scan Requests and Connect Requests sent to the device
    • Packets in the connection sent between the two devices in the connection
The software interface provides commands and options that control the nRF Sniffer operation.
Figure 1. nRF Sniffer software interface
nRF Sniffer software interface
Hardware interface
This list shows the available hardware interfaces. If you have more than one Development Kit (DK) or dongle with the nRF Sniffer firmware connected, you can choose which one to control with the toolbar. To use several hardware interfaces at the same time, see Capturing from multiple hardware interfaces.
Device list
This list shows nearby devices that are advertising. When you start sniffing, All advertising devices is selected. Choose a device from the list to sniff that specific device. When you select a different device while in a connection, the current connection is no longer sniffed.

If the device that you want to sniff is not found by the sniffer, you can add it to the list manually. See Add LE Address.

A device can also be selected from the list by providing the LE address manually. See Follow LE Address.

If the device is privacy-enabled and the LE address is unknown, you can select Follow IRK and enter the IRK. See IRK.

Input key and value
Use this field to provide the nRF Sniffer with input information that cannot be captured from air-traffic alone. To do so, select the input key from the drop-down menu and enter the corresponding value in the input field.

The following input keys are available:

Legacy Passkey
If your device asks you to provide your passkey, type the 6-digit passkey in the passkey text field and press Enter. Then enter the passkey into the device.
Legacy OOB data
If your device uses a legacy pairing procedure with a 16-byte Out of Band (OOB) key, provide it in hexadecimal format (starting with 0x, big endian). You must do this before the device enters encryption. If the entered key is shorter than 16 bytes, it is padded with zeros in front.
Legacy LTK
If your device has an existing bond using a legacy Long Term Key (LTK), provide it in hexadecimal format (starting with 0x, big endian). You must do this before the device enters encryption. If the entered key is shorter than 16 bytes, it is padded with zeros in front.
SC LTK
If your device has an existing bond using an LE Secure Connections LTK, provide it in hexadecimal format (starting with 0x, big endian). You must do this before the device enters encryption. If the entered key is shorter than 16 bytes, it is padded with zeros in front.
SC Private Key
If your device uses LE Secure Connections pairing and neither of the devices is in debug mode (using the Debug private key), provide the 32-byte Diffie-Hellman private key of your device in hexadecimal format (starting with 0x, big endian). You must do this before the device starts the pairing procedure. If the entered key is shorter than 32 bytes, it is padded with zeros in front.
IRK
If your device is privacy-enabled, the IRK is needed to continue to follow the device when it changes its LE address. You should provide it in hexadecimal format (starting with 0x, big endian). You must do this before the device enters encryption. If the entered key is shorter than 16 bytes, it is padded with zeros in front. When selecting a device that can be resolved with the IRK, the sniffer continues to follow any LE addresses that also resolves with the IRK. If the current LE address of the device is unknown, the device can be followed by selecting Follow IRK in the device list.
Add LE Address
If the device that you want to sniff is not currently advertising and therefore was not discovered, use this field to add its LE address to the device list. Input the full 6-byte LE address, separating each byte with a colon, and append the address type ("public" or "random"). For example: 57:25:b0:81:eb:e5 random
Note: If you add a device while capturing is stopped, the device does not show up in the device list until you start capturing.
Follow LE Address
If the device list is long, use this field to select the LE address in the device list. Input the full 6-byte LE address, separating each byte with a colon, and append the address type ("public" or "random"). For example: 57:25:b0:81:eb:e5 random
Note: If you follow a device while capturing is stopped, the device is not selected until you start capturing.

See Sniffing the pairing procedure of a connection for more information about providing the security credentials.

Advertising hop sequence
You can change the order in which the nRF Sniffer switches advertising channels when following a device. Define the order with comma-separated channel numbers, for example, 37,38,39. Press Enter when done.

With the default configuration, the nRF Sniffer waits for a packet on channel 37. After it receives a packet on channel 37, it transitions to sniffing on channel 38. When it receives a packet on channel 38, it transitions to sniffing on channel 39. When it receives a packet on channel 39, it starts sniffing on channel 37, and repeats the operation.

Clear button
Click this button to remove all entries in the device list and start scanning for new devices. This button is active only when capturing is ongoing.
Defaults button
Click this button to remove all entries in the device list and set all configuration options to their default values. This button is active only when no capturing is ongoing.
Help button
Click this button to open the documentation.
Log button
Click this button to display the debug log and information about the nRF Sniffer version. Check this log if you encounter any issues, and include the information when reporting issues.