Capture and Decode BLE Advertisements

~100 minIntermediate

Passively capture Bluetooth Low Energy advertisement packets on channels 37, 38, and 39. Decode device data with Wireshark, parse GAP/GATT structures, and understand BLE security.

Prerequisites
Everything needed before starting

Hardware (choose one)

  • nRF52840 USB dongle (~$10, beginner-friendly)
  • OR Ubertooth One (~$120, connection following)
  • OR HackRF One + btlejack (~$340, most capable)
  • USB cable, host computer (Windows, Linux, or macOS)

Software

  • Wireshark 3.x or later
  • nRF Sniffer Wireshark plugin (if using nRF52840)
  • btlejack (if using HackRF): pip install btlejack
  • Python 3 + scapy for PCAP analysis
  • nrfutil for firmware flashing
Step 1 of 714% complete
Step 115 min
BLE Advertising Basics: Channels 37, 38, and 39

Bluetooth Low Energy (BLE) devices broadcast advertisement packets on three dedicated channels to announce their presence, capabilities, and data. These unconnected broadcasts are the foundation of beacons, IoT sensors, wearables, and proximity marketing — and they're receivable by anyone with the right hardware.

BLE advertising channels

Channel 37

2402 MHz

First advertising channel. Between 2.4 GHz band start and first data channel cluster. Avoids Wi-Fi channel 1 (2412 MHz).

Channel 38

2426 MHz

Middle advertising channel. Between Wi-Fi channels 1 and 6 in the data channel gap.

Channel 39

2480 MHz

Last advertising channel. Above Wi-Fi channel 11 (2462 MHz), near top of 2.4 GHz band.

Advertisement event types

ADV_INDConnectable, undirected. Standard advertisement. Any scanner can see it; any central can connect.
ADV_NONCONN_INDNon-connectable, undirected. Broadcaster-only mode. iBeacons, sensors, and beacons use this.
ADV_SCAN_INDScannable, undirected. Allows scan requests for additional data but not connections.
ADV_DIRECT_INDConnectable, directed. Targets a specific device by address. Quick reconnect to known peer.
SCAN_RSPScan response. Additional data (up to 31 bytes) returned when a scanner sends a scan request.
AUX_ADV_INDBLE 5.0 extended advertising. Up to 1650 bytes on secondary channels 37/38/39 + secondary.

BLE physical layer: GFSK at 1 Mbit/s

BLE uses GFSK (Gaussian Frequency Shift Keying) with a 1 Mbit/s symbol rate and 250 kHz frequency deviation (modulation index 0.5). The Gaussian filter reduces spectral spread to fit within the 2 MHz channel bandwidth. Each advertisement event transmits on all three advertising channels sequentially with a small random delay between channels to avoid repeated collisions.

BLE advertising channels 37, 38, and 39 are at 2402, 2426, and 2480 MHz respectively. These three channels are intentionally spread across the 2.4 GHz band to avoid the busiest Wi-Fi channels (1, 6, and 11).

BLE Advertising Basics: Channels 37, 38, and 39