After installing nrfutil-ble-sniffer v0.19.0 (released 2026-04-30) and running bootstrap, Wireshark does not show the "nRF Sniffer for Bluetooth LE"
capture interface. The extcap shim panics immediately.
Environment
- nrfutil: 8.2.0
- nrfutil-ble-sniffer: 0.19.0
- Wireshark: 4.6.5 (manual install from wireshark.org)
- macOS: Sequoia 15.7.4 (24G517), Apple Silicon (aarch64)
Reproduction
mkdir -p ~/.local/lib/wireshark/extcap
nrfutil ble-sniffer bootstrap
~/.local/lib/wireshark/extcap/nrfutil-ble-sniffer-shim --extcap-interfaces
Output:
thread 'main' panicked at src/main.rs:1953:68:
called `Option::unwrap()` on a `None` value
Error: Subprocess /Users/<user>/.nrfutil/bin/nrfutil-ble-sniffer failed with unexpected exit code Some(101)
Root cause identified
The shim passes --extcap-interfaces directly to the nrfutil-ble-sniffer binary as a top-level flag. But in v0.19.0 the binary uses a subcommand
architecture (sniff, bootstrap, hci, help) and rejects unknown top-level flags with exit code 101. The shim then panics trying to parse the empty
output.
Confirmed by wrapping the binary:
[SPY] argv: --extcap-interfaces
[SPY] exit=101
And directly:
~/.nrfutil/bin/nrfutil-ble-sniffer --extcap-interfaces
# error: unexpected argument '--extcap-interfaces' found
Workaround
The sniffer firmware and CLI path work correctly. Capture to a pcap file and open in Wireshark:
nrfutil-ble-sniffer sniff \
--port /dev/cu.usbmodem<serial>3 \
--output-pcap-file ~/Desktop/capture.pcap \
--timeout 15000
open ~/Desktop/capture.pcap
Only the live Wireshark interface enumeration (extcap) is broken.
Additional note
Running sudo nrfutil ble-sniffer bootstrap creates ~/.nrfutil/logs/nrfutil-ble-sniffer.log owned by root, which causes a second failure mode
("Failed to set up file logger — Permission denied") on every subsequent non-root invocation. Bootstrap should be run without sudo; the target
directory ~/.local/lib/wireshark/extcap/ is user-owned and doesn't require it.
