Injection interface¶
TCP sockets can be opened in blueSPY, allowing you to inject packets, HCI messages, log messages, or other PcapNG blocks into an ongoing capture.
blueSPY can act as either server or client, but currently there is a limit of one connection per socket.
The dialog to configure sockets can be opened from the blueSPY toolbar
or the Capture menu.
-
Checkbox for disconnecting the socket if connected. Only sockets with this checkbox ticked will be set up upon confirmation.
-
Connection status label.
-
Shortcuts for setting fields to certain preset values:
-
BTVS
-
Client
-
IPv4: 127.0.0.1
-
port: 24352
-
Pcap mode
-
-
Local Host - IPv4: 127.0.0.1
-
Remote Host - IPv4: 0.0.0.0
-
-
Server checkbox. If ticked the socket will be a TCP/IP server otherwise a TCP/IP client will be set up.
-
IPv4 address field. Specifies which IPv4 address to connect to or listen for connection attempts from in client and server modes respectively. 0.0.0.0 in server mode is interpreted as any IP address. Leaving the field blank has the same effect as setting it to 0.0.0.0.
-
TCP port field.
-
Operating modes. Specifies how the socket should interpret incoming data.
-
Interface Name allows the user to set a description for the PcapNG interface that will be created. It is used in blueSPY for labelling the HCI "device" in the Summary and Timeline. If left blank a default name using TCP/IP name will be used. Since the PcapNG mode requires the Interface Description blocks to be sent over the socket, this field is disabled in that mode.
-
Remove this socket.
-
Add a new socket.
-
OK - confirm changes, Cancel - discard changes.
After closing the dialog, blueSPY starts listening for connections or making connection attempts, depending on the selected mode. However, packets are ignored until a capture has been started. In the server mode, blueSPY listens until a successful connection is established. Upon client disconnection, the socket starts listening for a new connection. In the client mode connection attempts to the specified server are being made until it succeeds or times out. Information about the status, and debug messages if invalid bytes are received, are printed in the log. If the timeout occurs or the connection has been lost, the socket is closed and needs to be set up again.
The toolbar button is highlighted to indicate that at least one socket is currently connected to a peer. The dialog can be opened again to view the status of each socket. Sockets can be removed or added at any point; however any data with the exception of the Interface Description PcapNG blocks will be discarded if blueSPY is not actively capturing. Changing socket settings is disabled once a connection has been established. Changing the interface name of a connected socket is allowed only prior to starting a blueSPY capture.
Raw HCI H4¶
In this mode blueSPY accepts raw bytes and tries to interpret them in accordance with the HCI H4 format.
Pcap¶
Follows the specification at: https://www.ietf.org/archive/id/draft-ietf-opsawg-pcap-03.html. A file header is required in this mode as the packet records themselves do not contain all the information needed for successful decoding. Further restrictions:
-
little endian format
-
LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR (0xC9) link type
The socket is closed upon reception of an invalid header.
BTSnoop¶
A file header is required in this mode as the packet records themselves do not contain all the information needed for successful decoding. Further restrictions:
-
format version 1
-
Un-encapsulated HCI (H1) (0x3E9) or HCI UART (H4) (0x3EA) link types
The socket is closed upon reception of an invalid header.
PcapNG¶
Follows the specification at: https://www.ietf.org/archive/id/draft-ietf-opsawg-pcapng-01.html. All blocks are required to be in the little endian format.
blueSPY accepts the following standard block types:
-
section header
-
interface description
-
enhanced packet
The following custom blocks are defined and accepted.
Link Key¶
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 | block type = 0x80000200 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 | length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8 | key |
12 | |
16 | |
20 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
24 | addr0 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
28 | addr0 | addr1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
32 | addr1 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 | label length | label (variable length) |
+-+-+-+-+-+-+-+-+ /
/ /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Encrypted Advertising key¶
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 | block type = 0x80000206 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 | length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8 | key |
12 | |
16 | |
20 | |
24 | |
28 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 | label length | label (variable length) |
+-+-+-+-+-+-+-+-+ /
/ /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Broadcast Code¶
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 | block type = 0x80000207 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 | length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8 | key |
12 | |
16 | |
20 | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 | label length | label (variable length) |
+-+-+-+-+-+-+-+-+ /
/ /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Log message¶
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 | block type = 0x80000109 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
4 | length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
8 | timestamp MSB |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
12 | timestamp LSB |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
20 | message length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 |s_subtyp |s_typ| message (variable length) |
+-+-+-+-+-+-+-+-+ /
/ /
/ /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
timestamp is a UNIX Timestamp in nanoseconds.
s_subtyp is severity subtype; this can be set to any value, to
distinguish user-defined error types.
s_typ is severity type; this is used to colour-code the log messages in
the Summary.
defined severity types:
- Pass = 0x0,
- Warning = 0x1,
- Info = 0x2,
- Debug = 0x3,
- Error = 0x4,