BLE·SNIFFER

Bluetooth protocol analyzer: how to read BLE traffic

Capturing Bluetooth Low Energy packets is only half the job. The raw bytes off the air are meaningless until something decodes them into the layers that make up the BLE protocol stack. That's what a Bluetooth protocol analyzer (or BLE protocol analyzer, sometimes spelled "BLE analyser") does: it turns captured packets into human-readable structure.

This guide explains the BLE stack you're analyzing and the tools that decode it.

The BLE protocol stack, briefly

To read BLE traffic, it helps to know the layers a packet passes through. From the bottom up:

  • Physical layer (PHY). The radio itself — 1 Mbps, 2 Mbps, or the long-range coded PHY introduced with Bluetooth 5.
  • Link layer (LL). Handles advertising, connections, and the channel-hopping that follows a connection across 37 data channels. This is where connection parameters live.
  • L2CAP. Multiplexes higher-layer data over the link and handles fragmentation.
  • ATT (Attribute Protocol). The request/response protocol for reading and writing values on a device.
  • GATT (Generic Attribute Profile). The structure on top of ATT — services, characteristics, and descriptors. When you see "battery service" or "heart-rate measurement characteristic," that's GATT.
  • GAP (Generic Access Profile). Governs discovery and connection roles (advertiser, scanner, central, peripheral). Advertisements you scan for are a GAP concept.

A good analyzer shows you these layers as a tree: pick a packet, expand it, and see the link-layer header, the L2CAP framing, and the ATT/GATT operation inside.

The standard analyzer: Wireshark

For decoding captured packets, Wireshark is the tool. It's free, open source, and has mature BLE dissectors that understand every layer above.

The usual pipeline:

  1. Capture with hardware — an nRF52840 dongle running nRF Sniffer, or an Ubertooth One (see our hardware guide).
  2. Pipe the capture into Wireshark, live or from a saved file.
  3. Filter and decode. Use display filters like btatt to isolate GATT operations, or follow a single connection to watch a handshake unfold.

Wireshark is where you'll spend your time if you're reverse engineering a protocol or debugging your own device's GATT interactions. Its dissectors turn the hopping, fragmented mess of raw capture into a clean, expandable packet list.

Vendor and specialized analyzers

  • nRF Sniffer for Bluetooth LE (Nordic) is both the capture firmware for the nRF52840 and a Wireshark plugin, so it's often your capture and decode setup in one.
  • Ellisys and Frontline (Teledyne LeCroy) make professional-grade Bluetooth protocol analyzers with all-channel capture and rich UIs. They're powerful and priced for labs and manufacturers, not hobbyists.
  • Vendor SDK tools from chip makers often include their own packet viewers tuned to their radios.

Analyzing the advertisement layer — no capture hardware needed

Not all "protocol analysis" requires connection capture. A great deal of useful BLE analysis happens at the advertisement layer, which your phone reads directly. Every advertisement is itself a structured packet: flags, the local name, TX power, manufacturer-specific data, and service UUIDs, all encoded in a defined format.

Inspecting advertisements answers a lot of real questions:

  • Is my device advertising the services I expect?
  • What manufacturer data is this beacon broadcasting?
  • Which service UUIDs does this unknown device expose?
  • How is the advertisement's signal strength changing as I move?

BLE Sniffer for Android decodes the advertisement layer for you: it captures each nearby device's name, address, RSSI, manufacturer, and service UUIDs, logs sessions on-device, and exports to CSV so you can analyze the raw data in your own tools. It won't decode the inside of a live connection — that's Wireshark-plus-hardware territory — but for advertisement-level analysis it's immediate and needs no dongle. No ads, no telemetry.

Choosing your analyzer

  • Decoding connection traffic (LL/L2CAP/ATT/GATT)? Wireshark, fed by an nRF52840 or Ubertooth.
  • Professional lab work with all-channel capture? Ellisys or Frontline/Teledyne LeCroy.
  • Analyzing advertisements and identifying devices? A phone app decodes those on the spot — try BLE Sniffer for Android.

The takeaway

A Bluetooth protocol analyzer is what makes captured BLE traffic legible, mapping raw bytes onto the link layer, L2CAP, and GATT. For connection-level work, Wireshark plus a capture dongle is the standard stack. For the advertisement layer — which covers a huge share of everyday BLE questions — your phone decodes it without any extra hardware at all.