hcidump

Display Host Controler Interface (i.e. BLuetooth) data

btmon
hcidump [option [option… ]] [filter ]

Reads raw HCI data coming from and going to a Bluetooth device until receives sigTERM or sigQuit.
Only if somethimg like sudo hcitool lescan is running!

Default is the first available HCI device
Outputs commands, events and data.
The dump can be written to a file to be parsed at a subsequent time.

-t
--timestamp
Prepend a time stamp
>b='D5:51:78:72:EC:0F'
>hcidump -t|grep $b -B3 -A3
2018-05-20 16:48:47.852536 > HCI Event: LE Meta Event (0x3e) plen 30
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr C4:C1:A5:FB:6D:46 (Random)
      Flags: 0x06
      Shortened service classes: 0xfe59
      Complete local name: 'RuuviBoot' 
-m compid
--manufacturer=compid
default company id for manufacturer
-R
--raw
only the raw data is displayed.
hcidump --raw |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
> 04 3E 2B 02 01 03 01 0F EC 72 78 51 D3 1F 02 01 06 03 03 AA 
  FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 4A 41 4B 
  41 4C 78 49 72 B6 
> 04 3E 17 02 01 00 00 AE 3B 97 75 32 4C 0B 02 01 06 07 FF 4C 
  00 10 02 0B 00 B1 
> 04 3E 23 02 01 00 01 2A 73 AC 54 87 71 17 02 01 06 13 FF 4C 
  00 0C 0E 00 CB 3A F4 C4 21 9E B6 5D C4 9C D3 3E 26 B3 
> 04 3E 2B 02 01 03 01 03 AD 43 C6 C0 F2 1F 02 01 06 03 03 AA 
  FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 46 67 56 
  41 4C 78 49 4E C3 
hcidump -t --raw |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
2018-04-16 19:36:46.080953 > 04 3E 17 02 01 00 00 AE 3B 97 75 32 4C 0B 02 01 06 07 FF 4C 
  00 10 02 0B 00 B7 
2018-04-16 19:36:46.098825 > 04 3E 2B 02 01 03 01 03 AD 43 C6 C0 F2 1F 02 01 06 03 03 AA 
  FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 46 67 56 
  41 4C 78 49 4E B1 
2018-04-16 19:36:46.108579 > 04 3E 23 02 01 00 01 2A 73 AC 54 87 71 17 02 01 06 13 FF 4C 
  00 0C 0E 00 CB 3A F4 C4 21 9E B6 5D C4 9C D3 3E 26 B6 
2018-04-16 19:36:46.262135 > 04 3E 17 02 01 00 00 AE 3B 97 75 32 4C 0B 02 01 06 07 FF 4C 
  00 10 02 0B 00 C5 

> b='D5 51 78 72 EC 0F'
> hcidump -t --raw | grep "$b" -A2 
Remove timestamp : sed "s/....-..-.. ..:..:..\.......//" 0ruuvis
-a
--ascii
hcidump -a   |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
> HCI Event: LE Meta Event (0x3e) plen 23
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr 4C:32:75:97:3B:AE (Public)
      Flags: 0x06
      Unknown type 0xff with 6 bytes data
      RSSI: -53
> HCI Event: LE Meta Event (0x3e) plen 35
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr 71:87:54:AC:73:2A (Random)
      Flags: 0x06
      Unknown type 0xff with 18 bytes data
      RSSI: -68
> HCI Event: LE Meta Event (0x3e) plen 23
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr 4C:32:75:97:3B:AE (Public)
      Flags: 0x06
      Unknown type 0xff with 6 bytes data
      RSSI: -65
-x
--hex

-X
--ext
displacement and hex and ASCII most likely not helpful (with --raw).
hcidump --raw -X   |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
> 0000: 04 3e 2b 02 01 03 01 1a  1e 4a 74 fa f7 1f 02 01  .>+......Jt.....
  0010: 06 1b ff 99 04 05 0f c8  43 27 c1 6e 03 64 02 1c  ........C'.n.d..
  0020: ff ec a1 b6 12 66 ca f7  fa 74 4a 1e 1a bc        .....f...tJ...
> 0000: 04 3e 1a 02 01 00 01 e4  63 cc 82 fb 6e 0e 02 01  .>......c...n...
  0010: 1a 0a ff 4c 00 10 05 11  18 28 9a a0 b7           ...L.....(...
> 0000: 04 3e 1a 02 01 00 00 ae  3b 97 75 32 4c 0e 02 01  .>......;.u2L...
  0010: 06 0a ff 4c 00 10 05 4b  1c 6d a4 a4 b3           ...L...K.m...
> 0000: 04 3e 2b 02 01 00 01 dc  06 65 6d fd d0 1f 02 01  .>+......em.....
  0010: 04 1b ff 99 04 05 11 7c  2d 9e c1 81 00 1c 00 00  .......|-.......
  0020: 03 eb a6 f6 4a c2 a2 d0  fd 6d 65 06 dc b2        ....J....me...
-w file
--save-dump=file
Binary data in BTSnoop version 1, HCI UART (H4) format is saved in file.
subsequently parsed with -r.

The file can be opened in Wireshark for full decoding

hexdump -C hcidump.out
00000000  62 74 73 6e 6f 6f 70 00  00 00 00 01 00 00 03 ea  |btsnoop.........|
00000010  00 00 00 1d 00 00 00 1d  00 00 00 03 00 00 00 00  |................|
00000020  00 e2 7d c4 c0 1a 07 3e  04 3e 1a 02 01 00 00 ae  |..}....>.>......|
00000030  3b 97 75 32 4c 0e 02 01  06 0a ff 4c 00 10 05 4b  |;.u2L......L...K|
00000040  1c c0 ea 49 bc 00 00 00  21 00 00 00 21 00 00 00  |...I....!...!...|
00000050  03 00 00 00 00 00 e2 7d  c4 c0 1a 88 9e 04 3e 1e  |.......}......>.|
00000060  02 01 00 01 74 85 0b 43  be 60 12 02 01 1a 02 0a  |....t..C.`......|
00000070  0c 0b ff 4c 00 10 06 13  1e 18 73 40 1f c2 00 00  |...L......s@....|
00000080  00 24 00 00 00 24 00 00  00 03 00 00 00 00 00 e2  |.$...$..........|
00000090  7d c4 c0 1a c7 bd 04 3e  21 02 01 03 01 c2 24 68  |}......>!.....$h|
000000a0  3c 10 c7 15 02 01 06 11  ff 99 04 03 15 24 11 c1  |<............$..|
000000b0  9f 00 40 ff c4 03 fe 0b  65 b0 00 00 00 26 00 00  |..@.....e....&..|
000000c0  00 26 00 00 00 03 00 00  00 00 00 e2 7d c4 c0 1c  |.&..........}...|
000000d0  fe 71 04 3e 23 02 01 00  01 2c 43 1e 0f 41 4b 17  |.q.>#....,C..AK.|
000000e0  02 01 06 13 ff 4c 00 0c  0e 00 e4 8f 60 bc 1c 81  |.....L......`...|
-r file
--read-dump=file
Data from file created with -w
-C
--cmtp=psm
for the CAPI Message Transport Protocol.
-H
--hcrp=psm
for the Hardcopy Control Channel.
-O
--obex=channel
Sets RFCOMM channel value for the Object Exchange Protocol.
-P
--ppp=channel
Sets RFCOMM channel value for the Point-to-Point Protocol.
-D
--pppdump=
Extract PPP traffic with pppdump format.
-A
--audio=file
Extract SCO audio data.
-Y
--novendor
Don't display any vendor commands, events
any pin code or link key in plain text.
hcidump -t -Y  |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
2018-04-16 19:40:44.038443 > HCI Event: LE Meta Event (0x3e) plen 35
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr 71:87:54:*:*:* (Random)randomly assign at time of manufacturer
      Flags: 0x06
      Unknown type 0xff with 18 bytes data
      RSSI: -74
-i hciX read from hciX. Default: first available.
-l len
--snap-len=len
max length of processed packets
-p psm
--psm=psm
default Protocol Service Multiplexer
-h

FILTERS

filter is a space-separated list of packet categories:
lmp hci sco l2cap rfcomm sdp bnep cmtp hidp hcrp avdtp avctp obex capi ppp

lmp,(01) hci(02), sco(04), l2cap(08), rfcomm(10), sdp(20), bnep(40), cmtp(80), hidp(100), hcrp(200), avdtp(400), avctp(800), obex(1000), capi(2000) and ppp(4000)

Examples:

(buffers, just be patient)
hcidump -t --raw |                           # format 4
grep --after-context=2 "1A 1E 4A 74 FA F7" |  # get the interested MAC and next to lines
grep --invert-match '\-\-' |                  # get rid of the -- grep inserts
sed "N ;s/\n//; N; s/\n//" |                  # join 2nd and 3rd line
sed "s/04 3E //;  s/02 01 03 01//" |          # remove bluetooth header information
sed "s/  19 02 01 04 15 FF 99//"   |
sed "s/201.-..-..//;  s/[[:digit:]]\{3,3\} //; s/1A 1E 4A 74 FA F7//"   # pretty it up

 18:01:50.997 > 1F 02 01 06 03 03 AA   FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 47 51 59   41 4D 4F 30 47 AF 
 18:01:51.497 > 1F 02 01 06 03 03 AA   FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 47 51 59   41 4D 4F 30 47 B3 
                                                      FT TX htt r  u  u  . v  i  /  #  B     Q       A  M  O  3  G    

hcidump -t --raw |                           # format 5
grep --after-context=1 "1A 1E 4A 74 FA F7" |  # get the interested MAC and next to lines
grep --invert-match '\-\-' |                  # remove of the -- grep inserts
sed "N ;s/\n//; " |                           # join 2nd line
sed "s/04 3E //;  s/02 01 03 01//" |          # remove bluetooth header information
sed "s/  19 02 01 04 15 FF 99//"   |
sed "s/201.-..-..//;  s/[[:digit:]]\{3,3\} //; s/1A 1E 4A 74 FA F7//"   # pretty it up

 18:32:31.833> 19 02 01 04 15 FF 99   04 03 66 18 59 C4 0E 00 1B FF DD 03 DC 0A B7 00 00 00 00 B3 
 18:32:32.332> 19 02 01 04 15 FF 99   04 03 66 18 59 C4 0E 00 1B FF DD 03 DC 0A B7 00 00 00 00 B5 
 18:32:32.837> 19 02 01 04 15 FF 99   04 03 66 18 59 C4 0E 00 1B FF DD 03 DC 0A B7 00 00 00 00 B5 
                              CIC  ) fmt hh temp  press  xxxx yyyyy zzzzz battery          RSSI  


Protocol and Service Multiplexer
Protocol PSM
SDP 01 Service Discovery Protocol (SDP)
RFCOMM 03 RFCOMM with TS 07.10
TCS-BIN 05 Telephony Control Specification / TCS Binary
TCS-BIN-CORDLESS 07 Telephony Control Specification / TCS Binary
BNEP 0F Bluetooth Network Encapsulation Protocol
HID_Control 11 Human Interface Device
HID_Interrupt 13 Human Interface Device
UPnP 15 [ESDP]
AVCTP 17 Audio/Video Control Transport Protocol
AVDTP 19 Audio/Video Distribution Transport Protocol
AVCTP_Browsing 1B Audio/Video Remote Control Profile
UDI_C-Plane 1D Unrestricted Digital Information Profile [UDI]
ATT 1F Bluetooth Core Specification
3DSP 21 3D Synchronization Profile.
LE_PSM_IPSP 23 Internet Protocol Support Profile
OTS 25 Object Transfer Service

Errors

Can't attach to device hci0. No such device(19)

hcidump is deprecated due to lack of support

In order to run without root i.e. without sudo:

sudo setcap 'cap_net_raw,cap_net_admin+eip' `which hcitool`
sudo setcap 'cap_net_raw,cap_net_admin+eip' `which hcidump`

btmon

- Bluetooth monitor

btmon [options]

-r
--read file
Read traces in btsnoop format
-w
--write file
Save traces in btsnoop format (also for WireShark
-a
--analyze file
Analyze traces in btsnoop format
-s
--server socket
Start monitor server socket
-p
--priority level
Show only priority or lower
-i
--index num
Show only specified controller
-d
--tty tty
Read data from TTY
-B
--tty-speed rate Set TTY speed (default 115200)
-t
--time
Show time instead of time offset
-T
--date
Show time and date information
-S
--sco
Dump SCO traffic
-A
--a2dp
Dump A2DP (Advanced Audio Distribution Profile. i.e. Stereo ) stream traffic
-E
--ellisys [ip]
Send Ellisys HCI Injection
-h
--help
Show help options
sudo btmon -S |more
Bluetooth monitor ver 5.48
= Note: Linux version 4.19.66+ (armv6l)                                0.621011
= Note: Bluetooth subsystem version 2.22                               0.621025
= New Index: B8:27:EB:E3:A4:6C (Primary,UART,hci0)              [hci0] 0.621029
= Open Index: B8:27:EB:E3:A4:6C                                 [hci0] 0.621031
= Index Info: B8:27:EB:E3:A4:6C (Broadcom Corporation)          [hci0] 0.621035
@ RAW Open: hcidump (privileged) version 2.22          {0x0002} [hci0] 0.621039
@ MGMT Open: bluetoothd (privileged) version 1.14             {0x0001} 0.621043
@ MGMT Open: btmon (privileged) version 1.14                  {0x0003} 0.621174
> HCI Event: LE Meta Event (0x3e) plen 43                    #1 [hci0] 0.648046
      LE Advertising Report (0x02)
        Num reports: 1
        Event type: Non connectable undirected - ADV_NONCONN_IND (0x03)
        Address type: Random (0x01)
        Address: C4:D8:A4:A9:09:81 (Static)
        Data length: 31
        Flags: 0x06
          LE General Discoverable Mode
          BR/EDR Not Supported
        Company: not assigned (1177)
          Data: 050e9a74bdbf83fca0fe180024a37633e82cc4d8a4a90981
        RSSI: -70 dBm (0xba)
> HCI Event: LE Meta Event (0x3e) plen 43                    #2 [hci0] 0.696244
      LE Advertising Report (0x02)
        Num reports: 1
        Event type: Connectable undirected - ADV_IND (0x00)
        Address type: Random (0x01)
        Address: EE:93:49:ED:9F:E9 (Static)
        Data length: 31
        Flags: 0x06
          LE General Discoverable Mode
          BR/EDR Not Supported
        Company: not assigned (1177)
          Data: 050fb74d98fffffc28feb4006cb036232e7dee9349ed9fe9
        RSSI: -99 dBm (0x9d)
To enable verbose logging for bluethooth add -d to bluetooth.service config file:
sudo sed --in-place 's/bluetoothd/bluetoothd \-d/g' /lib/systemd/system/bluetooth.service

See

hcitool