Stian gravatar image

Posted 2015-09-04 14:00:28 +0200


BLE Sniffer in Linux using Wireshark

Here is a small guide on how to build Wireshark with a BLE plugin under linux, with a small example on using this plugin with the Nordic Sniffer API.


  • nRF Dongle (PCA10031/PCA10000) or similar
  • Working installation of SEGGER J-Link drivers (To flash the chip with the firmware)
  • Python 2.7

Tested using

  • Ubuntu 14.04.3
  • Wireshark version 1.12.0

Sniffer API

Download the Sniffer API and firmware here: nRF Sniffer

Inside the zip-file you will find another zip-file called Unzip the content of this file to your workspace. These are the files you need. The "Sniffer API" folder contains the python API, and the "wireshark_dissector_source" folder contains the plugin source.

Build Wireshark with BLE plugin


For Ubuntu:

sudo apt-get install build-essential automake autoconf libgtk2.0-dev libglib2.0-dev libpcap0.8-dev flex bison

Also check out the Wireshark wiki:


  • Download the Wireshark plugin:
  • Download the Wireshark source: wireshark-1.12.0.tar.bz2
  • Decompress wireshark-1.12.0.tar.bz2 and move into created folder (wireshark-1.12.0)
  • Decompress in plugins folder
  • Move Custom files to plugins folder
$ mv plugins/nordic_ble/Custom.m4-1.12.0 plugins/Custom.m4
$ mv plugins/nordic_ble/Custom.make-1.12.0 plugins/Custom.make
$ mv plugins/nordic_ble/Custom.nmake-1.12.0 plugins/Custom.nmake
  • Add packet-nordic_ble.c from the "wireshark_dissector_source" folder in the Sniffer API to plugins/nordic_ble folder
  • Compile wireshark:
$ ./
$ ./configure
$ make
  • Then run wireshark to see if it works:
$ ./wireshark

Flash firmware

Flash the chip with the firmware included in the "Firmware" folder in the Sniffer API zip file you downloaded (ble-sniffer_nRF51822_1.0.1_1111_Sniffer.hex), using JLinkExe or preferred tool. No need to flash softdevice first.

Linux example code

  • Download the example python script here:
  • Put it in the Sniffer API root folder (Called "SnifferAPIBuild" after the unzip)
  • install the "pyserial" python 2.7 package:
pip install pyserial

In the example script under def setup() you can set the UART port for the nRF USB dongle. In Ubuntu it should enumerate under "/dev/ttyACM0". Check to see if this is the case:

ls -l /dev/ttyACM0

Also set the address of the device you want to sniff (tls_dev_addr)

Run the example script:

sudo python

(You might need to run as sudo to access the UART port)

If the device is found, run Wireshark (from the Wireshark root folder) using:

./wireshark -Y btle -k -i /home/username/snifferAPI_directory/SnifferAPIBuild/logs/nordic_ble.pipe

(This command will also be output from the script when the sniffer successfully finds the device. So you can copy/paste it to get the right path for the nordic_ble.pipe file)

Wireshark should start to show the packets now.


EarthLord gravatar image

Posted Sept. 7, 2015, 7:45 p.m.

Thanks Stian for your effort! Can confirm that it work for me in Ubuntu 15.04. Great to have this tool work with Linux now.

I had to go through a bit of effort to make this work. Here are some pointers for others which might help.

  1. Install dependency packages for wireshark. autogen stops when these are not installed. libtool and libtoolize are two packages that I think I installed apart from what is mentioned in this post.
  2. Note that stops scanning when the device address which it is searching is not found and the nordic_ble.pipe is not created. Update1: Also looks like the nordic_ble.pipe file needs to be deleted before a new sniff is started.
  3. Had search a lot to figure out this bug was making wireshark get a segmentation fault.
  4. Update1: Forgot to mention that in the file attached a colon is missing at the end of the if statement in the loop method.

Happy sniffing to you all! :)

sidekick gravatar image

Posted Sept. 8, 2015, 10:14 a.m.

While building wireshark from scratch. Make sure that, packet capturing development files (headers) are installed, On Fedora 21, this can be done as below:

$ sudo yum install libpcap-devel
daurman gravatar image

Posted Nov. 23, 2015, 11:48 p.m.

Hello Stian, I've merged the code in this blog post in my fork of the Adafruit BLE Sniffer.

The Adafruit script does a scan and presents the list of devices in range. You can select the device and start the Wireshark capture.

There is nothing special, just you don't have to guess the value of tls_dev_addr.

I gave you all credits in the files commited to github and I hope there are no licensing issues.


ambrice gravatar image

Posted Feb. 6, 2016, 12:57 a.m.

I updated the build scripts in nordic_ble so that it will build without needing wireshark source or a custom wireshark build.

You can build it against the wireshark-dev package (Ubuntu) or whatever the Fedora equivalent is, and it installs to ~/.wireshark/plugins/ so you can run the system wireshark. Tested with Ubuntu 15.10, probably still need a wireshark 1.12.x version to build against.

finikorg gravatar image

Posted March 30, 2016, 12:38 p.m.

Hello Aaron, I followed your steps but for some reason the plugin did not get built. I have latest Ubuntu, wireshark upstream git.

Ciube gravatar image

Posted May 10, 2016, 2:59 p.m.

Hi Aaron,

I followed the step of this guide but when I do make it doesn't work. This is the error:

make: * No targets specified and no makefile found. Stop.

I am in the wireshark directory created after the tar of the file. I don't know where I did the mistake.

Thank you

tralamazza gravatar image

Posted June 23, 2016, 4:19 p.m.

I wrote a small how-to

I hope this helps.

matrach gravatar image

Posted Nov. 23, 2016, 3:43 p.m.

Wireshark 2.3 no longer requires a separate plugin. It doesn't work out of the box, though. To enable the plugin one needs to:

  • go to Edit->Preferences->Protocols->DLT_USER
  • edit the Encapsulation Table and add "user10 (DLT=157)" with "nordic_ble" in the payload protocol field.

To get the 2.3 version on Ubuntu 16.04 one may use dreibh's PPA.


Posted Jan. 27, 2017, 11:54 a.m.

I am attempting to port the C dissector to Lua at LE LL dissection using btle dissector is working. Still need to complete work on dissecting nordic_ble tree. I'm not planning on porting support for legacy header and nordic_debug. Feel free to fork and extend.

schef gravatar image

Posted April 7, 2017, 11 a.m.

What works:

wireshark-git (2.3.0)

for less headaches.

In wireshark go to:

  • Edit -> Preferences -> Protocols -> DLT_USER -> Edit
  • add User 10 (DLT = 157) and payload nordic_ble
SørenHN gravatar image

Posted Aug. 11, 2017, 4:05 p.m.

The SnifferAPIBuild/logs/nordic_ble.pipe used when running wireshark did not come with files I downloaded through the provided links. Where do i find this file? Or have I done something wrong?

Some of the files are in need for an update and some of the users experiences could be added for ease of installation for new adopters, but otherwise a nice guide.

Sign in to comment.

User menu

    or sign up

Recent questions