Provided by: ubertooth_2017.03.R2-2_amd64 bug

NAME

       ubertooth-btle - Bluetooth Low Energy (BLE) sniffing and more

SYNOPSIS

              ubertooth-btle -f [-A 37|38|39] [-r output.pcapng]

DESCRIPTION

       ubertooth-btle is a tool for doing Fun Stuff(TM) with BLE. It can do the following things:

              • Sniff connections

              • Interfere with connections

              • Send advertising packets (experimental)

       Sniffing  connections  is  the most robust feature supported by ubertooth-btle. It has two
       primary modes of operation: follow mode and promiscuous mode.

       Follow mode is the preferred mode for general use. In this mode, Ubertooth will listen  on
       one  of  three advertising channels waiting for a BLE connection to be established. When a
       connection is established, Ubertooth will hop along the data channels, passively capturing
       the  data  sent  between  the  central  and  peripheral.  After the connection terminates,
       Ubertooth will return to the advertising channel and wait for another connection.

       Promiscuous mode is an experimental mode for sniffing connections after they have  already
       been established. This mode can be used to sniff long-lived connections.

       When  sniffing,  Ubertooth can only operate in either follow mode or promiscuous mode, but
       not both at the same time. If you are unsure which mode to use, use follow mode.

       By default, Ubertooth will follow any connection  it  observes.  You  can  limit  this  to
       following  a  specific  Bluetooth  Address  (BD  ADDR) using the -t command line flag. For
       example,  the  following  command  will  only  sniff  connections  where  the  central  or
       peripheral's BD ADDR is 22:44:66:88:AA:CC:

              ubertooth-btle -f -t22:44:66:88:AA:CC

       In  both  sniffing  modes,  Ubertooth  can  log  data  to PCAP or PcapNG with a variety of
       pseudoheaders. The recommended logging format is PcapNG (-r) or PCAP with LE  Pseudoheader
       (-q). For compatibility with crackle (see [USING WITH CRACKLE][]), use PCAP with PPI (-c).

       Interfering  with connections is a feature for causing intentional interference with newly
       established or long-lived connections. When  this  attack  succeeds,  the  BLE  connection
       between  the  central and peripheral will be terminated. Pair the -i or -I flag with -f to
       interfere with new connections or -p to interfere with long-lived connections.  Note  that
       causing  intentional  interference  may  be illegal in your jurisdiction. Check your local
       laws before using this feature.

       Finally, ubertooth-btle supports transmitting advertising  packets  with  a  specified  BD
       ADDR.  This  feature, referred to as faux slave mode, is experimental and may not function
       as intended. Use at your own risk.

EXAMPLES

       Sniff all connections on advertising channel 38, logging all data to PcapNG:

              ubertooth-btle -f -A 38 -r log.pcapng

       Interfere with connections recovered with promiscuous mode:

              ubertooth-btle -p -I

       Send advertising packets using BD ADDR 22:44:66:88:AA:CC:

              ubertooth-btle -s22:44:66:88:AA:CC

OPTIONS

-h : Displays help message

       Major modes:

              • -f : Follow mode: sniff connections as they are established

              • -p : Promiscuous mode: sniff already-established connections

              • -s<BD ADDR> : Inject advertising packets using specified BD ADDR

       Interference (pair with -f or -p):

              • -i : Interfere with one connection and return to idle

              • -I : Interfere continuously with many connections

       Filtering:

              • -t<BD ADDR> : Limit connection following and interference in follow mode  to  the
                specified BD ADDR

       Logging:

              • -r <output.pcapng> : Log to PcapNG (preferred)

              • -q <output.pcap> : Log to PCAP with DLT_BLUETOOTH_LE_LL_WITH_PHDR-c <output.pcap> : Log to PCAP with PPI (for compatibility with crackle(1))

       Miscellaneous:

              • -A <37|38|39> : Which advertising channel to use in follow mode (default: 37)

              • -a[address] : Get or set access address in promiscuous mode

              • -v[01] : Get or set CRC verification (default: 0)

              • -x<0-32>  :  Allow n access address violations (default: 32). Filtering occurs on
                host.

       Data source:

              • -U<0-7> : Which Ubertooth to use

USING WITH CRACKLE

       crackle is a tool for cracking the BLE key exchange  and  decrypting  encrypted  data.  To
       capture  data for use with crackle, sniff connections in follow mode using -f and log data
       to PCAP/PPI using -c. Example:

              ubertooth-btle -f -c crack.pcap

       Refer to crackle documentation for further details.

SEE ALSO

       crackle(1): ⟨https://github.com/mikeryan/crackle⟩

COPYRIGHT

       ubertooth-btle is Copyright (C) 2012-2017 Mike Ryan.  This  tool  is  released  under  the
       GPLv2. Refer to COPYING for further details.