In Part 1 of this series, we covered everything you need to get started with the nRF Sniffer: why packet sniffing matters, hardware options, step-by-step installation, and how to start your first capture. If you haven't read that guide yet, I recommend starting there—it walks you through the complete setup from downloading Wireshark to capturing your first Bluetooth Low Energy (Bluetooth LE) advertising packets.
At the end of Part 1, I mentioned we'd dive deeper into practical usage. In this guide, we'll focus on device filtering and packet filtering for advertising traffic. We'll cover following connections, deciphering GATT operations, and decrypting connections in Part 3.
Now that you have your sniffer up and running, you've probably noticed something: there's a lot of Bluetooth LE traffic out there. Every smartphone, smartwatch, wireless earbud, and IoT device in range is broadcasting packets, and trying to find the one device you care about can feel like searching for a needle in a haystack.
That's where display filters come in. I've found that the key to effective packet analysis isn't capturing more data—it's knowing exactly how to filter what you've captured. In this guide, we'll go from "packets everywhere" to "laser-focused analysis" using a real Bluetooth LE peripheral as our target.
In this post, we'll cover:
- The difference between capture filters and display filters (and when to use each)
- How to discover and identify Bluetooth LE devices in your environment
- How to lock onto a specific device using address, signal strength, and advertising data
- How to parse and filter advertising data (manufacturer data, service UUIDs, device names)
- A comprehensive cheat sheet of advertising filters you can use immediately
By the end of this guide, you should be able to confidently navigate through complex Bluetooth LE captures and isolate exactly the traffic you need to analyze.
