Protocol Capture
import { Aside } from ‘@astrojs/starlight/components’;
mcbluetooth can capture raw Bluetooth HCI (Host Controller Interface) traffic for protocol analysis and debugging.
Overview
Section titled “Overview”HCI captures record all communication between the Bluetooth stack and hardware adapter. This includes:
- Device discovery packets
- Pairing and authentication
- Connection management
- Audio streaming data
- BLE GATT operations
Starting a Capture
Section titled “Starting a Capture”bt_capture_start output_file="/tmp/bluetooth.btsnoop"Returns:
{ "status": "started", "capture_id": "capture_abc123", "output_file": "/tmp/bluetooth.btsnoop"}Capture Options
Section titled “Capture Options”# Capture from specific adapterbt_capture_start output_file="/tmp/hci0.btsnoop" adapter="0"
# Include voice data (SCO)bt_capture_start output_file="/tmp/calls.btsnoop" include_sco=true
# Include audio streaming (A2DP)bt_capture_start output_file="/tmp/audio.btsnoop" include_a2dp=true
# Include LE Audio (ISO)bt_capture_start output_file="/tmp/le_audio.btsnoop" include_iso=trueStopping a Capture
Section titled “Stopping a Capture”bt_capture_stop capture_id="capture_abc123"Returns:
{ "status": "stopped", "output_file": "/tmp/bluetooth.btsnoop", "packets_captured": 1542, "file_size": 245760}Listing Active Captures
Section titled “Listing Active Captures”bt_capture_list_activeAnalyzing Captures
Section titled “Analyzing Captures”Quick Parse
Section titled “Quick Parse”bt_capture_parse filepath="/tmp/bluetooth.btsnoop"Returns packet summaries:
{ "total_packets": 1542, "packet_types": { "HCI_CMD": 234, "HCI_EVENT": 456, "ACL_DATA": 852 }, "packets": [ { "index": 0, "timestamp": "2024-01-15T10:30:00.123456", "type": "HCI_CMD", "direction": "TX", "summary": "Inquiry" } ]}Filtered Parse
Section titled “Filtered Parse”# Only HCI commandsbt_capture_parse filepath="..." packet_type_filter="HCI_CMD"
# Only received packetsbt_capture_parse filepath="..." direction_filter="RX"
# Limit resultsbt_capture_parse filepath="..." max_packets=100Detailed Analysis
Section titled “Detailed Analysis”bt_capture_analyze filepath="/tmp/bluetooth.btsnoop"Returns high-level statistics:
{ "duration_seconds": 45.2, "total_packets": 1542, "protocols": { "L2CAP": 423, "RFCOMM": 156, "SDP": 34, "ATT": 289 }, "connections": [ { "address": "AA:BB:CC:DD:EE:FF", "packets": 892, "bytes": 45678 } ]}Raw Packet Decoding
Section titled “Raw Packet Decoding”bt_capture_read_raw filepath="/tmp/bluetooth.btsnoop" offset=0 count=50Returns btmon-style decoded output for detailed inspection.
Common Workflows
Section titled “Common Workflows”Debug Pairing Issues
Section titled “Debug Pairing Issues”# Start capturebt_capture_start output_file="/tmp/pairing_debug.btsnoop"
# Attempt pairingbt_pair adapter="hci0" address="AA:BB:CC:DD:EE:FF"
# Stop and analyzebt_capture_stop capture_id="..."bt_capture_parse filepath="/tmp/pairing_debug.btsnoop" packet_type_filter="HCI_EVENT"Investigate Audio Glitches
Section titled “Investigate Audio Glitches”# Capture with A2DP databt_capture_start output_file="/tmp/audio_debug.btsnoop" include_a2dp=true
# Play audio for 30 seconds
# Stop and check for errorsbt_capture_stop capture_id="..."bt_capture_analyze filepath="/tmp/audio_debug.btsnoop"Monitor BLE Sensor
Section titled “Monitor BLE Sensor”# Start capturebt_capture_start output_file="/tmp/ble_sensor.btsnoop"
# Connect and interact with sensorbt_connect adapter="hci0" address="AA:BB:CC:DD:EE:FF"bt_ble_read adapter="hci0" address="..." char_uuid="..."
# Analyze ATT/GATT trafficbt_capture_stop capture_id="..."bt_capture_parse filepath="/tmp/ble_sensor.btsnoop"File Format
Section titled “File Format”Captures are saved in btsnoop format, compatible with:
| Tool | Usage |
|---|---|
| Wireshark | Full GUI analysis |
| btmon | Command-line decode |
| hcidump | Legacy analysis |
Open in Wireshark
Section titled “Open in Wireshark”wireshark /tmp/bluetooth.btsnoopWireshark provides:
- Protocol dissection
- Conversation tracking
- Expert analysis
- Export options
Requirements
Section titled “Requirements”The capture functionality uses btmon which needs access to the Bluetooth monitor socket:
# Option 1: Run as rootsudo btmon
# Option 2: Add capability (one-time setup)sudo setcap cap_net_raw+ep /usr/bin/btmonTroubleshooting
Section titled “Troubleshooting””Permission Denied”
Section titled “”Permission Denied””# Check btmon capabilitygetcap /usr/bin/btmon
# Add if missingsudo setcap cap_net_raw+ep /usr/bin/btmonCapture File Empty
Section titled “Capture File Empty”- Ensure adapter is active:
bt_adapter_power adapter="hci0" on=true - Verify Bluetooth activity is occurring
- Check btmon is running:
bt_capture_list_active
Very Large Files
Section titled “Very Large Files”Audio data generates significant traffic:
| Content | Approximate Size |
|---|---|
| Discovery/pairing | ~10 KB/min |
| BLE sensors | ~50 KB/min |
| A2DP audio | ~2 MB/min |
| HFP calls | ~500 KB/min |
Use without audio flags for general debugging:
bt_capture_start output_file="..." include_sco=false include_a2dp=falseCan’t Open in Wireshark
Section titled “Can’t Open in Wireshark”Verify file format:
file /tmp/capture.btsnoop# Should show: BTSnoop version 1, HCI UART (H4)If corrupted, the capture may have been interrupted. Always use bt_capture_stop to properly close files.