Skip to content

PcapNG files

The capture files created by blueSPY use the PcapNG format, as defined at: https://www.ietf.org/archive/id/draft-ietf-opsawg-pcapng-01.html

Wherever possible, standard blocks from the specification are used (often with custom "option" fields) to ensure interoperability with other PcapNG tools. Notably, these standard blocks include the bt_le_ll_phdr, bt_bredr_bb, and hci_h4_phdr_pkt blocks. For various other types of data (packets on proprietary PHYs, spectrum data, Channel-Sounding and HDT packets, etc), custom blocks conforming to the "portable" custom block definition in the specification are used.

PcapNG files can be opened in blueSPY if at least one of the following conditions is true:

  1. There is a licenced Moreph connected to blueSPY.

  2. The PcapNG file was signed as being created by RFCreations software.

Note

Any files created directly by capturing in blueSPY will be signed; if the files are then modified in blueSPY (e.g. using Save Advanced, or by merging a btsnoop file into an air-trace), the capture will be signed if a Moreph is connected when the file is re-saved.

Option 1 allows our customers to open PcapNG files from other sources, e.g. from Wireshark.

By default, Bluetooth packets are written to the file as received over the air, i.e. whitened, and (where relevant) encrypted. If you wish to open a capture file in other software, you can use Save Advanced to create a version of the capture with the packet contents dewhitened and decrypted.