Wireshark integration?

[vChavezB]

Currently I am using bumble to emulate embedded firmware and connect with other applications (Android, linux).

I was wondering if its possible to sniff on the packets sent/recieved by bumble Controllers connected to the same LocalLink and have a callback which I can use to send packets over wireshark.

My first hint is to use scapy to create a Wireshark sink. I also found this about the pcap structure for bluetooth https://www.tcpdump.org/linktypes/LINKTYPE_BLUETOOTH_LINUX_MONITOR.html.

I think it would be an interesting application to sniff the HCI packets that are already available through the bumble controllers.

[zxzxwu]

Android and Linux(BlueZ) have been supported by Wireshark. Doesn't that fit your use case?

AFAIK, this kind of captures is based on extcat. There is a similar work for Thread: https://github.com/openthread/pyspinel/blob/main/extcap_ot.py

[vChavezB]

I will check the link.

My use case involves capturing virtual traffic with custom applications that do not use Android emulator or BLuez.

I have developed an experimental backend for the Bleak project with bumble. This allows me to develop a Bluetooth application with Bleak (Windows, MAC,Linux) which then can test without hardware. I use bumble as HCI Controller to communicate with an emulated embedded firmware that exposes its HCI Host over a socket. I connect both my bleak application and the MCU through bumble.

The objective in this case is to capture the virtual traffic that is transmitted over the TCP HCI Server (Bleak + Bumble) and TCP HCI Client (Zephyr RTOS emulated firmware).

[barbibulle]

Bumble has support for pluggable HCI traffic sniffers. There's currently just one builtin sniffer, that knows how to save sniffed traffic to a snoop file (compatible with the Android HCI snoop files, which Wireshark knows how to read).
See the Snooper class, which is the base interface for snoopers. Snoopers can be added programmatically by using the API, or automatically based on a user-set environment variable. With env var, snoopers are created by the create_snooper method, which will look at the "spec" and device which snooper should be instantiated.
If you wanted something that supports live injection (as opposed to saving the snooped traffic to a file), you could either
1/ extend the BtSnooper to support more I/O models (only file is supported currently), or
2/ create a new Snooper subclass.

[vChavezB]

Thanks, just as an experiment I did a small test.

I added my extcap application in Wireshark.

And when I start the extcap interface I listen over a port to packets from a Bumble Device with a custom Snooper. The snooper sends them to the extcap interface and then writes them in PCAP Format (LINKTYPE_BLUETOOTH_HCI_H4_WITH_PHDR) to Wireshark.