I’ve been troubleshooting iBeacons lately, and Bluetooth LE Sniffer from Adafruit is my go-to tool for sniffing Bluetooth LE (BLE) traffic such as iBeacon advertisements. iBeacon detection can vary a lot depending on advertisement interval and timing, and signal strength and its variance with distance, line of sight (or lack thereof), interference with other iBeacons etc.
nRF Sniffer software captures all BLE traffic in libpcap format that can be viewed in Wireshark. Its Wireshark dissector has fallen behind and does not work with latest version of Wireshark. Since I have written Wireshark dissectors in Lua before, I was quickly able to port the native dissector to Lua.
Here’s an iBeacon advertisement dissected using the nordic_ble Lua dissector, and Wireshark’s native btle dissector, on OS X. Note that iBeacon payload proprietary to Apple is not yet decoded by Wireshark’s btle dissector.
Using data from the packet shown above, Apple’s proprietary payload has the following format
02 - ID 15 - Length (21 bytes) 3aa46f0c80784773be800255132aefda - 128-bit UUID e4f2 - major number e4c1 - minor number b6 - two's complement of calibrated TX power
A filter such as
btcommon.eir_ad.entry.data contains e4:f2:e4:c1 can be used to filter packets based on major and minor numbers.