Traffic Captures
Bluetooth traffic captures are stored in the captures/ directory as btsnoop files. These binary capture files can be opened directly in Wireshark for analysis.
Capturing Traffic
Section titled “Capturing Traffic”Start a capture session with btmon. The command below writes to a timestamped file:
sudo btmon -w captures/session-$(date +%Y%m%d-%H%M%S).btsnoopTo monitor HCI events live without saving to a file:
sudo btmonRun btmon before connecting to the headphones to capture the initial handshake. The channel 14 ff55 greeting only happens on the first connection after a power cycle.
Analyzing Captures
Section titled “Analyzing Captures”Open captures in Wireshark:
wireshark captures/*.btsnoopUseful Wireshark Filters
Section titled “Useful Wireshark Filters”| Filter | Purpose |
|---|---|
btrfcomm | Show all RFCOMM traffic |
btrfcomm.channel == 14 | Filter to a specific RFCOMM channel |
btl2cap | L2CAP layer traffic |
bthci_evt | HCI events (connection, disconnection, etc.) |
Combining filters is often useful. For example, btrfcomm.channel == 14 && frame.len > 10 filters out short ACK-only frames on channel 14.
- Run btmon before connecting to capture the full handshake sequence.
- The channel 14
ff55greeting only occurs on the first connection after the headphones are power-cycled. - Bluetooth is disabled when the headphones are charging via USB. Disconnect USB before attempting captures.
- The Bluetooth adapter on this system is
hci1(nothci0).