Wireshark-users: Re: [Wireshark-users] Wireshark Bluetooth

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 14 Jul 2014 14:03:22 -0700
On Jul 14, 2014, at 7:27 AM, Paul Raine <praine@xxxxxxxxxxxxxxxxx> wrote:

>> OK, so that version of libpcap (Libpcap-1.1.1-3.fc14.i686.rpm) supports Bluetooth capturing with the BlueZ Bluetooth stack *if* it was configured to include that support.
> 
> What is meant by "if it was configured to include that support."?

Libpcap is distributed by the developers (tcpdump.org) as a package of source code.  Like a number of other open-source projects, that package includes a "configure script" generated by autoconf, which

	1) attempts to figure out characteristics of the OS and OS version on which you're trying to build and for which you're trying to build, and arrange to make the build work there

and

	2) for some optional features, lets you configure them in or out.

Bluetooth sniffing is one of those features.  It's not currently available on any OS other than Linux, so the configure script configures it out if the OS for which libpcap is being built isn't Linux; it also configures it out if it can't find a necessary "include file" for the code that does Bluetooth capturing.

There's also a flag that can be passed to explicitly request it (which means the configure script will fail if it can't be configured in) or explicitly request its *absence* (which means that configure script won't configure it in even if it could).

The Fedora people take the source, may make changes to it, and, in the process of building a Fedora release, may run the configure script, or may use some other mechanism when building it.

From a quick look at the Fedora 14 source RPM for libpcap, they do make some changes, but none that would affect the Bluetooth configuration, *and* the spec file says it depends on bluez-libs-devel, so it appears that the intention is to include Bluetooth sniffing support.

>  Is there something that I need to configure within Libpcap??

If there is, it'd have to be done by getting the source RPM, making sure it doesn't configure with --disable-bluetooth, and building and installing libpcap from it:

	http://www.rpm.org/max-rpm/s1-rpm-miscellania-srpms.html

But I'm not sure that's the problem.

>> Is that the "Capture Interfaces" dialog that pops up if you click "Interface List" on the Wireshark welcome screen or select "Interfaces" from the "Capture" menu?  If so, it's successfully capturing packets (the packet counts it shows for the interfaces it shows, whether Bluetooth or not, are counts of packets it captures and discards, as it's capturing them only to count them).
>> 
>> What is the name of the Bluetooth interface on which you're capturing?
> 
> Yes I was referring to the "Capture Interfaces" dialog. The Bluetooth Interface is called "bluetooth0 Bluetooth adapter number 0".

OK, so that means that Wireshark sees that interface and can open it and capture on it, and therefore that libpcap *does* have Bluetooth support on your system, so rebuilding libpcap is not necessary and will not make a difference.

>> Or is it the main Wireshark window with the packet list, packet details, and hex dump, and does "I get nothing in the capture window" mean that there are no packets in the packet list?
> 
> There are no packets in the main Wireshark window. This is the one (on my computer) that is labelled "Capturing from Bluetooth adapter number 0 - Wireshark". (It has fields such as "No.", "Time", "Source", "Destination", "Protocol" and has the Hex dump at the bottom. No packets are displayed and this main Wireshark window remains black even though when Bluetooth data is exchanged with my computer it increases the "bluetooth0 Bluetooth adapter number 0" count in the "Capture Interfaces" dialog.

Black, or blank?

If you're doing a live capture and "Update list of packets in real time" is enabled, the main window will show (unless you've reconfigured Wireshark to do something differently):

	the packet list, with the columns you mention;

	the packet detail pane;

	the hex dump pane;

and they should, if there are no packets, be white, not black.

If you're doing a live capture and "Update list of packets in real time" is *not* enabled, the main window will show a grey area where the packet panes are, and only when you stop the capture will Wireshark read in the packets and display them.