In the previous part of this series, we mastered Wireshark display filters for Bluetooth LE advertising traffic. We learned how to filter by PDU type, signal strength, device address, and advertising data structures — essentially everything you need to find and isolate devices during the advertising phase.
But advertising is only half the story. The real action happens after two devices connect. That’s where you’ll see service discovery, characteristic reads and writes, notifications streaming back and forth — all the GATT operations that make Bluetooth LE applications actually work.
I’ve found that most Bluetooth LE debugging happens in the connection phase. Advertising issues are usually straightforward — a device is either advertising or it isn’t. Connection issues, on the other hand, can be subtle: intermittent disconnections, failed GATT operations, unexpected parameter negotiations, or services that simply don’t show up. A sniffer gives you visibility into exactly what’s happening at the packet level.
In this post, we’ll cover:
- How Bluetooth LE connection establishment works at the packet level
- Capturing and analyzing CONNECT_IND packets
- Using the nRF Sniffer’s Follow feature to track connections across data channels
- Filtering Link Layer control procedures (connection updates, PHY changes, feature exchanges)
- Analyzing ATT/GATT operations — service discovery, reads, writes, and notifications
- Debugging common connection issues like supervision timeouts and failed operations
By the end of this guide, you should be able to capture a complete Bluetooth LE connection from establishment through GATT operations and diagnose common connection problems using Wireshark.
