Recommended
Related

BLE Sniffer in Linux using Wireshark

Stian Røed Hafskjold

Here is a small guide on how to build Wireshark with a BLE plugin under linux, with a small example on using this plugin with the Nordic Sniffer API.

##Prerequisites

  • nRF Dongle (PCA10031/PCA10000) or similar
  • Working installation of SEGGER J-Link drivers (To flash the chip with the firmware)
  • Python 2.7

###Tested using

  • Ubuntu 14.04.3
  • Wireshark version 1.12.0

##Sniffer API Download the Sniffer API and firmware here: nRF Sniffer

Inside the zip-file you will find another zip-file called SnifferAPI.zip. Unzip the content of this file to your workspace. These are the files you need. The "Sniffer API" folder contains the python API, and the "wireshark_dissector_source" folder contains the plugin source.

##Build Wireshark with BLE plugin

###Dependencies

For Ubuntu:

sudo apt-get install build-essential automake autoconf libgtk2.0-dev libglib2.0-dev libpcap0.8-dev flex bison

Also check out the Wireshark wiki: https://wiki.wireshark.org/Development

###Build

  • Download the Wireshark plugin: nordic_ble_linux-1.12.0.zip

  • Download the Wireshark source: wireshark-1.12.0.tar.bz2

  • Decompress wireshark-1.12.0.tar.bz2 and move into created folder (wireshark-1.12.0)

  • Decompress nordic_ble_linux-1.12.0.zip in plugins folder

  • Move Custom files to plugins folder

    $ mv plugins/nordic_ble/Custom.m4-1.12.0 plugins/Custom.m4 $ mv plugins/nordic_ble/Custom.make-1.12.0 plugins/Custom.make $ mv plugins/nordic_ble/Custom.nmake-1.12.0 plugins/Custom.nmake

  • Add packet-nordic_ble.c from the "wireshark_dissector_source" folder in the Sniffer API to plugins/nordic_ble folder

  • Compile wireshark:

    $ ./autogen.sh $ ./configure $ make

  • Then run wireshark to see if it works:

    $ ./wireshark

##Flash firmware

Flash the chip with the firmware included in the "Firmware" folder in the Sniffer API zip file you downloaded (ble-sniffer_nRF51822_1.0.1_1111_Sniffer.hex), using JLinkExe or preferred tool. No need to flash softdevice first.

##Linux example code

  • Download the example python script here: example_linux.py

  • Put it in the Sniffer API root folder (Called "SnifferAPIBuild" after the unzip)

  • install the "pyserial" python 2.7 package:

    pip install pyserial

In the example script under def setup() you can set the UART port for the nRF USB dongle. In Ubuntu it should enumerate under "/dev/ttyACM0". Check to see if this is the case:

ls -l /dev/ttyACM0

Also set the address of the device you want to sniff (tls_dev_addr)

Run the example script:

sudo python linux_example.py

(You might need to run as sudo to access the UART port)

If the device is found, run Wireshark (from the Wireshark root folder) using:

./wireshark -Y btle -k -i /home/username/snifferAPI_directory/SnifferAPIBuild/logs/nordic_ble.pipe

(This command will also be output from the script when the sniffer successfully finds the device. So you can copy/paste it to get the right path for the nordic_ble.pipe file)

Wireshark should start to show the packets now.

  • I was trying to get this setup and running on 18.04 and was running into a problem where the QT on the system was compiled with PIE and it needed PIC. I have seen this issue on my last job and the way I resolved it was to build the entire QT and use it rather than the system default. I hope that's not the case here.

    Also seems to be some possible issues as the code is looking for qt4, but on 18.04 qt5 is the default. I tried to set the default to be qt4, but the code is still looking for qt5 in the configure as well as compile. I can compile QT if I need to, but I have BTDT and not preferable for me as I have other stuff I need QT for.

  • Getting fallowing error with wireshark1.12.0 source. I tried the above mentioned steps

    Making all in nordic_ble make[3]: Entering directory /home/kiran/wireshark-1.12.0/plugins/nordic_ble' make[3]: *** No rule to make targetall'. Stop. make[3]: Leaving directory /home/kiran/wireshark-1.12.0/plugins/nordic_ble' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory/home/kiran/wireshark-1.12.0/plugins' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/kiran/wireshark-1.12.0' make: *** [all] Error 2

  • Getting fallowing error with wireshark1.12.0 source. I tried the above mentioned steps

    Making all in nordic_ble make[3]: Entering directory /home/kiran/wireshark-1.12.0/plugins/nordic_ble' make[3]: *** No rule to make targetall'. Stop. make[3]: Leaving directory /home/kiran/wireshark-1.12.0/plugins/nordic_ble' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory/home/kiran/wireshark-1.12.0/plugins' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/kiran/wireshark-1.12.0' make: *** [all] Error 2

  • Getting fallowing error with wireshark1.12.0 source. I tried the above mentioned steps

    Making all in nordic_ble make[3]: Entering directory /home/kiran/wireshark-1.12.0/plugins/nordic_ble' make[3]: *** No rule to make targetall'. Stop. make[3]: Leaving directory /home/kiran/wireshark-1.12.0/plugins/nordic_ble' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory/home/kiran/wireshark-1.12.0/plugins' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/kiran/wireshark-1.12.0' make: *** [all] Error 2

  • Getting fallowing error with wireshark1.12.0 source. I tried the above mentioned steps

    Making all in nordic_ble make[3]: Entering directory /home/kiran/wireshark-1.12.0/plugins/nordic_ble' make[3]: *** No rule to make targetall'. Stop. make[3]: Leaving directory /home/kiran/wireshark-1.12.0/plugins/nordic_ble' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory/home/kiran/wireshark-1.12.0/plugins' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/home/kiran/wireshark-1.12.0' make: *** [all] Error 2