BLE·SNIFFER

What is a BLE sniffer? A plain-language guide

A BLE sniffer is a tool that listens to the Bluetooth Low Energy (BLE) radio traffic around you and shows you what devices are saying over the air. "Sniffing" just means passively capturing wireless signals that are already being broadcast — the same way a network packet sniffer captures Wi-Fi or Ethernet traffic, a Bluetooth sniffer captures BLE traffic.

If you've searched for "BLE sniffer," "Bluetooth sniffer," or "Bluetooth Low Energy sniffer" and ended up confused by the results, it's usually because that one phrase covers two very different things. This guide untangles them.

The two kinds of Bluetooth sniffing

There is an important distinction that most articles skip, and it determines which tool you actually need.

1. Advertisement scanning. Every BLE device that wants to be discovered broadcasts small packets called advertisements. They're public by design — that's how your phone finds your headphones, how a fitness tracker announces itself, and how a beacon says "I'm here." Scanning for advertisements requires nothing special: any modern phone or laptop with Bluetooth can do it. From advertisements you can read a device's name, its Bluetooth address, its signal strength (RSSI), the manufacturer, and the service UUIDs it exposes.

2. Connection (link-layer) packet capture. Once two BLE devices connect, they hop across 37 data channels many times per second and exchange encrypted or unencrypted data packets. Capturing that traffic is what people usually mean by a "Bluetooth packet sniffer" or "protocol analyzer." It's much harder: you need dedicated radio hardware that can follow the channel hopping, and you generally have to start capturing before the connection is established.

Most people searching for a "BLE sniffer" actually want the first kind — they want to see what's broadcasting nearby, identify a device, or measure how close it is. Only reverse engineers and firmware developers typically need the second.

What a BLE sniffer can see

From advertisement scanning alone, you can learn a surprising amount:

  • Device name — if the device chooses to broadcast one (many don't).
  • Bluetooth address — a 48-bit address. Note that most phones and privacy-conscious devices rotate a random address every 15 minutes or so, so you can't reliably track them.
  • RSSI (signal strength) — a rough proxy for distance. Higher (closer to 0 dBm) means nearer.
  • Manufacturer — decoded from the company identifier in the advertisement's manufacturer data.
  • Service UUIDs — hints about what the device does (a heart-rate service, a battery service, a proprietary service, and so on).
  • TX power, appearance, and other advertisement fields — additional metadata some devices include.

What a BLE sniffer generally can't see

Setting expectations matters:

  • The contents of an encrypted connection. If two paired devices are exchanging encrypted data, capturing the raw packets doesn't hand you the plaintext.
  • Devices that aren't broadcasting. A sniffer surfaces BLE advertisements. A device sitting silently in a connection, or one with Bluetooth off, won't appear.
  • Classic Bluetooth (BR/EDR). BLE and "classic" Bluetooth are different radio protocols. A BLE sniffer sees Bluetooth Low Energy, not the older classic profiles used by some audio devices.
  • Anything non-Bluetooth. It won't see Wi-Fi, Zigbee, or other radios.

Who uses a BLE sniffer, and why

  • Hardware security researchers enumerate devices, inspect advertisement payloads, and observe how products behave over the air before deciding what to test further.
  • Firmware and IoT developers debug their own devices — checking that advertisements are well-formed and appear as intended.
  • Privacy-conscious people walk a space to see which Bluetooth devices are broadcasting nearby, using signal strength to figure out roughly where a device is.
  • Curious tinkerers simply want to know what's filling the airwaves around them.

How to start sniffing today

You don't need to buy anything to do advertisement scanning. The device in your pocket already has the radio.

BLE Sniffer for Android turns your phone into an advertisement scanner: it scans for nearby Bluetooth Low Energy devices, captures their advertisement data (name, address, RSSI, manufacturer, service UUIDs), logs every session on-device for offline analysis, and lets you export the raw data to CSV. It also includes an RSSI-based proximity radar so you can sweep a room and home in on a signal. There are no ads and no telemetry — scan logs stay on your phone unless you export them yourself.

If you later need full connection-level packet capture, that's the territory of dedicated hardware — see our hardware guide for the options.

Is BLE sniffing legal?

Passively listening to advertisements that devices broadcast publicly is generally comparable to noticing a Wi-Fi network name — the data is being transmitted openly. What gets legally and ethically fraught is connecting to or interacting with devices you don't own or aren't authorized to test. As a rule: scan freely, but only connect to and probe devices you own or have explicit permission to assess. This guide is general information, not legal advice.

The short version

A BLE sniffer captures the Bluetooth Low Energy signals around you. For the common case — seeing what's broadcasting, identifying a device, or gauging proximity — a phone app is all you need. For decoding the traffic inside a live connection, you'll want dedicated sniffer hardware. Knowing which job you're doing is the whole game.

Want to try advertisement scanning right now? BLE Sniffer for Android is free.