BLE Sniffer Basics + Comparison Guide

Introduction

One of the most crucial tools that every Bluetooth developer should have on hand is a BLE sniffer. There are many cases where the two communicating BLE devices seem to be doing everything right, but things are just not working right.. 😖 In these circumstances, a BLE sniffer can come in pretty handy!

So, what does a BLE sniffer do? How can it be helpful? What are the different options for BLE sniffers? Those are the exact questions we’ll be addressing in this article.

What is a BLE sniffer? What does a BLE sniffer do?

A BLE sniffer (aka Bluetooth protocol analyzer) acts as a passive listening device that captures BLE packets sent over the air from various devices within the direct radio range.

Why do we call it “passive”? Because it does not interact with the BLE devices around it and instead simply captures the packets, meaning other BLE devices are unaware of its existence.

This can be very helpful, especially when you’re interested in debugging communication between devices and without interfering and affecting the communication between these devices.

For example, when two Bluetooth LE devices connect to each other and something is not working correctly, you wouldn’t want to interfere with the communication. Instead, passively capturing the packets exchanged between the devices will give you a better insight into the issues going on with the communication.

A BLE sniffer is helpful, not just for debugging!

Another important reason for getting familiar with and using a BLE sniffer is that it can help tremendously in learning how BLE works.

This is especially useful for new features that have just been released in recent versions of the Bluetooth specification.

How does a BLE sniffer work?

In general, a BLE sniffer captures packets in two main scenarios:

• Advertising mode: it captures advertising packets (mainly on the primary advertising channels 37, 38, and 39)
• Connection mode: it captures raw packet data exchanged between two Bluetooth LE devices during a connection (the remaining 37 channels: 0 through 36)

The way the sniffer accomplishes this primarily depends on its hardware implementation. There are two main types of sniffers:

1. Development kit-based BLE sniffers

These types of BLE sniffers typically can only capture packets sent over one of the RF channels, whether that’s an advertising or connection channel.

When capturing advertising packets, it continuously switches between scanning the three primary advertising channels (37, 38, and 39) to capture as many advertising packets as possible.

Obviously, this means it will inevitably miss some packets, but the probability of capturing the missed packets increases the longer the sniffer is running.

For capturing connections, usually, these types of sniffers are only capable of sniffing one connection at a given time.

They can sniff a connection by switching to listening on the exact RF channel on which the two communicating BLE devices exchange packets.

If you recall, when two Bluetooth Low Energy devices are connected, they utilize a frequency hopping mechanism where they exchange packets on a specific RF channel during what’s referred to as a “connection event.”

Then they switch to a different RF channel based on a pre-determined pattern in the subsequent connection event.

These sniffers are usually based on existing development kits, meaning they utilize existing BLE development kits provided by the vendor, which also provides the BLE sniffer firmware.

Usually, they do not support all the latest updates in the Bluetooth standard. This is because they are usually not dedicated sniffers, and instead, this functionality is provided as extra functionality for their customers.

They usually utilize open-source software as an interface for viewing the captured packets, such as Wireshark.

The cost is usually very low (≤ $100). It’s usually just the hardware cost (development kit), and the BLE sniffer firmware is provided for free.

2. Dedicated BLE sniffers

These types of BLE sniffers are typically Software Defined Radio (SDR) based, meaning they can capture the whole radio spectrum (2.4 GHz spectrum in the case of BLE).

These types of sniffers are meant to be dedicated devices, so they are much more capable than the first type.

They can capture all types of BLE packets on all 40 channels (advertising and connection packets).

They can sniff multiple connections simultaneously.

They can capture all advertising packets in the area without needing to hop between the three advertising channels.

Since they’re dedicated sniffers, the vendor is committed to supporting the latest version of the Bluetooth standard.

Typically, the PC software used to interface with the sniffer is provided by the vendor and is custom developed instead of relying on open-source software.

The cost is typically very high compared to the “development kit”-based sniffers, but that’s because of the engineering costs associated with developing and maintaining the functionality of the sniffer.

Can Wireshark sniff BLE?

As mentioned above, the type of software needed to interface with the BLE sniffer hardware/device depends on the type of sniffer.

For development kit based and some of the mid-range sniffers, Wireshark is usually the officially supported software used to interface with the sniffer. The main advantage here is that it’s open-source, which means it’s free and well-maintained, and updated with new features and bug fixes.

Keep in mind some of the new fields introduced in new versions of the Bluetooth specification may depend on support to be added to Wireshark for these packet types and fields (or added by the sniffer vendor).

For dedicated sniffers, the most common solution provided is the use of proprietary software provided by the vendor. The software is typically offered for free to accompany the sniffer device.

The main advantage here is that the vendor controls both the PC-based software and sniffer firmware, so they can provide a much better and more seamless user experience. They’re also better at providing support for the latest features of the Bluetooth standard.

Let’s go over a comparison of the most popular BLE sniffers in the market.

BLE Sniffer Comparison

1. Ellisys Bluetooth Tracker

• Price: starts at $10,000, on the low-end, and goes up depending on which software features are enabled.
• Pros:
  • Very compact and portable
  • SDR-based and supports the latest released version of Bluetooth Low Energy spec (BLE-only).
  • Supports Wi-Fi and 802.15.4 technologies.
  • Lower cost than other commercial sniffers.
  • Easy-to-use PC Software
• Cons: not affordable for many, software is Windows-only.

2. Texas Instruments BLE Sniffer (CC2540EMK-USB dongle)

• Price: around $50.
• Pros: Relatively easy to use, reasonable cost, minimal setup required.
• Cons: can listen on only one advertising channel at a time (hardware limitation), uses proprietary analysis application, challenging to export captured data (need to develop/ or use a tool that parses the exported data), drops packets occasionally, crashes occasionally, only supports up to Bluetooth version 4.2.

3. Nordic nRF Sniffer (nRF51 PCA10031 USB dongle)

• Price: around $50.
• Pros: reasonable cost, integrates with Wireshark (Windows only) through the use of Nordic nRF Sniffer software (command line utility).
• Cons: can listen on only one advertising channel at a time (hardware limitation), requires a bit of setup, occasionally drops packets, and has no support for Bluetooth 5.0 and later versions.

4. Nordic nRF Sniffer (nRF52 PCA10059 USB dongle)

• Price: around $10.
• Pros: very low cost, fully supports Bluetooth 5 as a development kit, integrates with a full suite of applications from Nordic, the nRF Connect for desktop.
• Cons: can listen on only one advertising channel at a time (hardware limitation), requires a bit of setup, occasionally drops packets, and usually lags behind in terms of support for the latest Bluetooth Low Energy features.
• Here’s a Getting Started tutorial for this USB dongle: The nRF52840 USB Dongle Tutorial (Part 1)

5. Adafruit Bluefruit LE Sniffer
(pretty much the same as the nRF51 sniffer – based on the same chipset)

• Price: around $30.
• Pros: low cost, integrates with a full suite of applications from Nordic, the nRF Connect for Desktop.
• Cons: Does not support Bluetooth 5.0 and later, can listen on only one advertising channel at a time (hardware limitation), a bit of setup required, drops packets occasionally.

6. Ubertooth One

• Price: $125-$150.
• Pros: open-source software and hardware.
• Cons: can listen on only one advertising channel at a time (hardware limitation); difficult to get set up on Mac OS X or Windows (much simpler on Linux). Lags behind in terms of support for the latest Bluetooth spec versions.

7. Frontline (Teledyne Lecroy) ComProbe BPA low energy

• Price: $1,295.
• Pros: can listen in on all three advertising channels simultaneously, compact design, powerful PC software (almost overwhelmingly powerful).
• Cons: relatively pricey, Windows only, cumbersome UI (too many bells and whistles), minimal tutorials available, support for Bluetooth version 4.2 (BLE-only, no support for later versions).
• Note: this sniffer is a bit unique compared to the other sniffers in the list. It utilizes four BLE chipsets, three of them used to scan each of the primary advertising channels simultaneously (37, 38, and 39), and the fourth is used to follow a specific connection between two Bluetooth Low Energy devices.

8. Frontline X500^TM Wireless Protocol Analyzer

• Price: $45,000+
• Pros:
  • Employs Software Defined Radio (SDR), meaning the device’s firmware can be updated to support any future version of the Bluetooth spec.
  • Captures Bluetooth (BR/EDR and Low Energy), Wi-Fi (Wi-Fi 5, 6, and 6e – including 6 GHz ISM band), and 802.15.4 technologies.
  • Allows capturing data with a push of a button on the device without being connected to a PC
• Cons: very expensive, bulky, software is Windows-only.

9. Frontline X240^TM Wireless Wideband Analyzer

• Price: $30,000+
• Pros:
  • Employs Software Defined Radio (SDR), meaning the device’s firmware can be updated to support any future version of the Bluetooth spec.
  • Captures Bluetooth (BR/EDR and Classic), Wi-Fi (2.4 GHz only), and 802.15.4 technologies.
  • Small footprint than similar offerings, lightweight.
  • Allows capturing data with a push of a button on the device without being connected to a PC
• Cons: expensive, software is Windows-only.

10. Ellisys Bluetooth Explorer

• Price: around $30,000.
• Pros:
  • Employs Software Defined Radio (SDR), meaning the device’s firmware can be updated to support any future version of Bluetooth (BR/EDR and Low Energy).
  • Captures Bluetooth (BR/EDR and Low Energy), Wi-Fi (2.4 GHz only), and 802.15.4 technologies.
  • Easy-to-use PC Software.
• Cons: very expensive, bulky, software is Windows-only.

11. Ellisys Bluetooth Vanguard

• Price: $40,000+
• Pros:
  • Employs Software Defined Radio (SDR), meaning the device’s firmware can be updated to support any future version of Bluetooth (BR/EDR and Low Energy).
  • Captures Bluetooth (BR/EDR and Low Energy), Wi-Fi (2.4 GHz only), and 802.15.4 technologies.
  • Easy-to-use PC Software.
  • Supports connection through Ethernet in addition to USB (allowing interfacing remotely).
• Cons: very expensive, bulky, software is Windows-only.

12. Featured Sniffer: Spanalytics PANalyzr

Spanalytics, a small company based out of Virginia, USA, saw a gap in the market for mid-tier priced Bluetooth protocol analyzers (under $10,000), and so they decided to fill this gap with their new PANalyzr Protocol Analyzer. Spanalytics, as a company, has extensive experience with both Bluetooth Classic (BR/EDR) and BLE.

Their PANalyzr offers continuous updates to keep up-to-date with the latest Bluetooth version and integrates with Wireshark for utmost flexibility.

• Price: $8,995
  • 5% Exclusive Novel Bits discount available, bringing the price down to ~$8,545 ($450 OFF!) Use coupon code MOHAM5 during checkout. *
• Pros and Features:
  • BLUETOOTH (BR/EDR + BLE), Wi-Fi & 802.15.4: Designed for IoT
  • SMALL SIZE: Easy to take anywhere
  • ACCURATE TIMING: Check packet arrival and throughput
  • WIDS MODULE: Optional Wireless Intrusion Detection System module
  • POWERED VIA USB PORT: Ultimate portability
  • EASY SETUP: Plug in and go
  • ON-BOARD MEMORY: Enable stand-alone capture on battery power
  • ANALYTICS: Optional analytics modules
  • BIG PERFORMANCE: 80MHz Concurrent Bandwidth
  • REVIEW CAPTURE FILES: Open and save stored files
  • MULTI-PLATFORM SUPPORT: Windows, Linux, and macOS support
  • BEST-IN-CLASS PRICE: Systems starting under $9k
  • MOBILE WEB APPLICATION: Optional cloud module allows data access anywhere
  • CAN BE PURCHASED ONLINE VIA CREDIT CARD: No need for POs and Invoicing like other commercial sniffers!
• Cons: fairly expensive – may not be affordable for some.

* To take advantage of the 5% exclusive discount ($450 OFF), enter “MOHAM5” during checkout. Disclaimer: By using the discount code, Novel Bits may receive a commission.

Conclusion & Recommendations

I hope that after reading this article, you’ve learned a lot about BLE sniffers (protocol analyzers) and that you now have a better understanding of how they work.

As you can see, the pricing of the different sniffers ranges dramatically between them. Here are a few recommendations depending on your budget and needs:

1. Obviously, if you’re just getting started with BLE development or you’re on a budget, then you will have a limited number of options. In that scenario, I would highly recommend the nRF52840 USB Dongle + nRF Sniffer option.
2. If you are looking for a very capable sniffer that can handle most of what the high-end sniffers (Ellisys, Frontline/Teledyne Lecroy) offer at a fraction of the price, then I highly recommend the Spanalytics PANalyzr (be sure to use the exclusive Novel Bits 5% discount code MOHAM5 during checkout).
   It offers everything you need to capture BLE communication, from advertising packets to encrypted connections between two devices.
3. If you’re not short on budget and need a very capable BLE sniffer that’s always kept up-to-date with the latest Bluetooth version spec, then I’d highly recommend the Ellisys Bluetooth Tracker.

Keep an eye out for upcoming posts covering more on BLE sniffers, and be sure to subscribe to the newsletter to be notified when a new post gets published!

💡 Want to get your Bluetooth-connected device to market faster? Enroll in the Bluetooth Developer Academy today and get exclusive access to in-depth courses built for developers.