1, Overview [ 概览 ]
BTSnoop 文件格式适用于存储 Bluetooth HCI 通讯数据。它与 RFC 1761 中记录的 snoop 格式非常相似。
The BTSnoop file format is suitable for storing Bluetooth® HCI traffic. It closely resembles the snoop format, as documented in RFC 1761.
2, File Format [ 文件格式 ]
侦测包的格式,是一个多字节数组,结构如下:
The snoop packet capture file is an array of octets structured as follows:
文件头是一个固定长度的字段,包含数据包文件的一般信息及其所含数据包记录的格式。文件头字段后是一个或多个长度可变的数据包记录字段。捕获到的数据包的数据就存放在各个数据包记录字段中。
The File Header is a fixed-length field containing general information about the packet file and the format of the packet records it contains. One or more variable-length Packet Record fields follow the File Header field. Each Packet Record field holds the data of one captured packet.
3, File Header [ 文件头 ]
文件头的结构如下:
The structure of the File Header is as follows:
3.1, Identification Pattern [ 识别模式 ] :
一个8字节的数据,用于将文件识别为窥探数据包捕获文件。识别模式由 8 个十六进制表示的字节组成:
A 64-bit (8 octet) pattern used to identify the file as a snoop packet capture file. The Identification Pattern consists of the 8 hexadecimal octets:
62 74 73 6E 6F 6F 70 00
这是一个ASCII字符串,“btsnoop”,后面以null字节结尾。
This is the ASCII string "btsnoop" followed by one null octets.
3.2, Version Number [ 版本号 ] :
一个4字节的无符号整数值,表示数据包捕获文件所使用的版本。本文档描述的版本号为1,按字节流顺序的值就是:00 00 00 01。
A 32-bit (4 octet) unsigned integer value representing the version of the packet capture file being used. This document describes version number 1.
3.3, Datalink Type [ 数据链路类型 ] :
一个4字节字段,用于标识后面的数据包记录中使用的数据链路头的类型。数据链路类型代码列于下表。值 0 - 1000 为保留值,以最大限度地与 RFC1761 snoop version 2 格式兼容。
A 32-bit (4 octet) field identifying the type of datalink header used in the packet records that follow. The datalink type codes are listed in the table below. Values 0 - 1000 are reserved, to maximize compatibility with the RFC1761 snoop version 2 format.
[ Datalink Codes ]
| Datalink Type | Code |
| Reserved | 0 - 1000 |
| Un-encapsulated HCI (H1) | 1001 |
| HCI UART (H4) | 1002 |
| HCI BSCP | 1003 |
| HCI Serial (H5) | 1004 |
| Unassigned | 1005 - 4294967295 |
比如我看到的一个snoop log文件,值就是1002,表示HCI的UART通讯数据包,按文件字节流顺序的值就是:00 00 03 ea,是大端顺序。
4, Packet Record Format [ 数据包记录格式 ]
每个数据包记录包含一个数据包的部分或完整副本,以及该数据包的一些描述性信息。数据包可能会被截断,以限制数据包文件中存储的数据量。
Each packet record holds a partial or complete copy of one packet as well as some descriptive information about that packet. The packet may be truncated in order to limit the amount of data to be stored in the packet file.
每个数据包记录包含 24 个字节的数据包描述信息,然后是长度可变的数据包数据和一个可选的填充字段。描述信息的结构是 6 个 32 位(4 个字节)整数值。
Each packet record holds 24 octets of descriptive information about the packet, followed by the packet data, which is variable-length, and an optional pad field. The descriptive information is structured as six 32-bit (4-octet) integer values.
数据包记录的结构如下:
The structure of the packet record is as follows:
4.1, Original Length [ 原始数据包长度 ]
一个 32 位无符号整数,表示通过网络接收到的所捕获数据包的长度,以字节为单位。
A 32-bit unsigned integer representing the length in octets of the captured packet as received via a network.
4.2, Included Length [ 包含长度 ]
一个 32 位无符号整数,代表数据包数据字段的长度。这是该数据包记录中包含的所捕获数据包的字节数。如果接收的数据包被截断,则包含长度字段小于原始长度字段。
A 32-bit unsigned integer representing the length of the Packet Data field. This is the number of octets of the captured packet that are included in this packet record. If the received packet was truncated, the Included Length field is less than the Original Length field.
4.3, Packet Flags [ 数据包标志 ]
该数据包的特定标记。目前定义了以下标志:
Flags specific to this packet. Currently the following flags are defined:
[ Packet Flag Description ]
| Bit No. | Definition |
| 0 | Direction flag 0 = Sent, 1 = Received |
| 1 | Command flag 0 = Data, 1 = Command/Event |
| 2-31 | Reserved |
第 0 位是 32 位字的最低有效位。
Bit 0 is the least significant bit of the 32-bit word.
方向是相对于host/DTE 的,例如,即对于蓝牙控制器,发送是主机->控制器,接收是控制器->主机。
Direction is relative to host / DTE. i.e. for Bluetooth controllers, Send is Host->Controller, Receive is Controller->Host.
注意: 有些数据链路类型已在数据包数据中编码了部分或全部此类信息。对于这些数据链路类型,这些标记应仅作为参考,数据包数据中的值应优先处理。
Note: Some Datalink Types already encode some or all of this information within the Packet Data. With these Datalink Types, these flags should be treated as informational only, and the value in the Packet Data should take precedence.
4.4, Cumulative Drops [ 累计丢包数 ]
一个 32 位无符号整数,表示所抓取的数据包中累计丢失的数据包的数量, 从捕获的第一个数据包开始到当前的这个。数据包丢失的原因可能是捕获系统资源不足或其他原因。
A 32-bit unsigned integer representing the number of packets that were lost by the system that created the packet file between the first packet record in the file and this one. Packets may be lost because of insufficient resources in the capturing system, or for other reasons.
注意:某些实现不具备计算丢失数据包的能力。这些实现可能会将累计丢包值设为零。
Note: some implementations lack the ability to count dropped packets. Those implementations may set the cumulative drops value to zero.
如果在抓包过程中,有些包没记录下来,就可以用这个字段来表示,如果没有就为0。
4.5, Timestamp Microseconds [ 时间戳 微秒 ]
一个 64 位有符号整数,表示数据包到达的时间,以公元 0 年 1 月 1 日午夜后的微秒为单位。
A 64-bit signed integer representing the time of packet arrival, in microseconds since midnight, January 1st, 0 AD nominal Gregorian.
为避免在计算中出现闰日歧义,请注意可使用公元 2000 年 1 月 1 日午夜的等效纪元,在此字段中表示为 0x00E03AB44A676000。
In order to avoid leap-day ambiguity in calculations, note that an equivalent epoch may be used of midnight, January 1st 2000 AD, which is represented in this field as 0x00E03AB44A676000.
4.6, Packet Data [ 数据包中的数据 ]
长度可变的字段,包含从数据链路头开始捕获的数据包。文件头的数据链路类型字段可用于确定如何解码数据链路头。数据包数据字段的长度在包含长度字段中给出。在Packet Data之后,不需要加入pad字段。但Snoop Packet Capture File Format Version 2是有的。
Variable-length field holding the packet that was captured, beginning with its datalink header. The Datalink Type field of the file header can be used to determine how to decode the datalink header. The length of the Packet Data field is given in the Included Length field.
请注意,这个字段的长度不要求四舍五入到任何特定的多八位字节边界。同样的上面的文件结构的图示中也没标注有填充部分。
Note that the length of this field in not necessarily rounded to any particular multi-octet boundary, as might otherwise be suggested by the diagram.
4.7, Data Format [ 数据格式 ]
所有整数值都按大端存储,高有效位在前。
All integer values are stored in "big-endian" order, with the high-order bits first.
===== ===== 分割线 ===== =====
使用举例:
比如在Android中,为了验证和调试蓝牙协议栈,在4.4版本之后,使用工具就能手动手机BTSnoop logs,其格式类似于RFC 1761中的snoop日志。这些日志会捕获主机控制器接口 (HCI) 数据包。对于大多数 Android 设备,日志存储在 data/misc/bluetooth/logs 中。
这个文件名通常是btsnoop_hci.log,抓取的就是主控芯片和蓝牙控制器之间的HCI接口的数据。
这个生成的HCI log文件,可以使用软件Wireshark进行解析,这是一个网络协议分析器。也可以使用Frontline的ComProbe软件打开进行解析。
在使用了蓝牙功能的电子设备中,在Host端,通过HCI发送和接受数据时,将数据按照Snoop文件格式存储到文件中,就生成了Btsnoop_hci日志,文件也可以自行命名。只不过Android系统里集成了这个功能,或者可以使用第三方APP来实现此功能。而有些嵌入式电子设备的蓝牙方案中,没有自带此功能的话,就需要开发者根据情况来自行实现。或者有的蓝牙方案中,有替代的方法来监听蓝牙数据。比如,TI的CC2564芯片,有一个输出log的调试端子,一个UART的TX信号,波特率是921600,不过要用TI的专用工具Logger来查看log,里面的内容更加全面。
什么是 Btsnoop_hci 日志?
btsnoop_hci 日志也称为蓝牙主机控制器接口日志,是一个日志文件,可为安全分析人员和开发人员提供蓝牙主机控制器接口数据包访问权限。启用蓝牙人机交互窥探日志后,蓝牙人机交互窥探日志会捕获这些数据包。
What Is Btsnoop_hci Log?
The btsnoop_hci log, also called the Bluetooth host controller interface, is a log file that provides security analysts and developers access to the Bluetooth host controller interface packets. When the Bluetooth HCI snoop log is enabled, the Bluetooth HCI snoop log captures these packets.
btsnoop_hci 日志是一个可访问蓝牙主机控制器接口数据包的日志文件。它的功能是存储设备上通过蓝牙发送的所有传输信息。
The btsnoop_hci log is a log that file provides access to the Bluetooth host controller interface packets. Its function stores all the transmissions sent through Bluetooth on your device.
捕获数据包后,它会将其存储到一个文件中,该文件可在设备的存储日志中访问。您还可以检索该文件,然后使用特定软件进行分析。让我们来详细了解一下 bt snoop log 的功能以及如何在设备上获取它。
After capturing them, it stores them in a file that will be accessible in the storage log of your device. You can also retrieve it and then analyze it later with particular software. Let’s get into the details of what the bt snoop log can do and how you can get it on your device.
What Is the Function of Bluetooth HCI Logs?
蓝牙HCI日志的功能是什么?
蓝牙HCI日志的功能是在设备上存储所有通过蓝牙传输的数据。如果您可以访问蓝牙HCI窥探日志,那么您一定下载了该应用程序,它可以记录手机上通过蓝牙传输和通信的数据。
The function of the Bluetooth HCI logs is to store all the transmissions sent through Bluetooth on your device. If you can access the Bluetooth HCI snoop log, then you must have downloaded the app, which logs the data on your phone through transmission and communication of Bluetooth.
数据将自动记录并备份到窥探日志中。您不必担心隐私会被侵犯。蓝牙HCI窥探日志绝不会导出您的数据。日志只会存储在你的设备中,稍后会被访问和分析。您只需知道如何访问日志即可。
The data will automatically be logged and backed up into the snoop log. You don’t need to be concerned about privacy violations or invasions. The Bluetooth HCI snoop logs will never export your data. The logs are just stored in your device, which will be accessed and analyzed later. All you have to know is how you would access the logs.
在大多数情况下,安卓设备中都有人机交互记录软件。如果您使用的是安卓 4.4 以上版本的手机,则应首先下载第三方应用程序。下载第三方应用程序的目的是帮助你记录和访问蓝牙HCI窥探记录。
In most cases, the android devices are made with HCI logging software already present in them. If you use a phone that predates android 4.4+, you should first download a third-party app. The purpose of downloading a third-party app is that it will help you log and access your Bluetooth HCI snoop logs.
What Is the HCI Log?
什么是 HCI 日志?
HCI 日志又称主机控制器接口日志,基本上是存储在系统中的记录。它记录了系统中执行的所有进程。主机控制器接口的功能是传输桥梁。
The HCI log, also called the Host controller interface log, is basically a record stored in your system. It is the record of all the processes that are performed in your system. The function of the host controller interface acts as an intermediary.
它是设备控制器和蓝牙协议栈主机元素之间的中介。它通过特定协议(包括 SPI 和 UART)在主机测试项目中实现。在较新的安卓设备中,有一个蓝牙低能耗协议栈。它的功能是以更全面的频率加快跳频。低能耗蓝牙的好处是可以限制外部干扰。
It intermediates your device’s controller and the Bluetooth protocol stack host elements. It is implemented in a host-test project through specific protocols, including the SPI and UART. In the newer android devices, there is a Bluetooth low-energy protocol stack. Its function is to speed up hops at more comprehensive frequencies. The benefit of Bluetooth low energy is that it will limit the external interference amount.
这样,低功耗蓝牙就能帮助设备轻松快速地识别附近的蓝牙频率。同时,它还能过滤掉不必要的信号。
That way, the Bluetooth low energy can help the device to easily and quickly identify the nearby Bluetooth frequencies. It will also be filtering out unnecessary signals at the same time.
这也将提高设备的安全级别,有助于防止蓝牙传输过程中的数据丢失。HCI交互接口会保留数据传输记录,以便您随时快速检查记录,发现性能问题或安全隐患。
That would also enhance the security level of your device, which will help prevent the loss of data in the transmission process of Bluetooth. The record of the data transfer is kept by the HCI so that you can quickly examine the record whenever you want to for performance problems or security risks.
How To Create Bluetooth HCI Snoop Log?
如何创建蓝牙人机交互窥探日志?
要创建蓝牙窥探日志,在访问和导出蓝牙HCI交互窥探日志之前,需要启用设备中的开发人员设置。这些设置通常不在视线范围内,因此没人能很快将其弄乱并干扰设备的内部工作。
To create a Bluetooth snoop log, you need to enable the developer settings in your device before you access and export a Bluetooth HCI snoop log. These settings are usually out of sight, so nobody can quickly mess them up and disturb their device’s inner workings.
在安卓设置中点击 7 次构建编号,即可访问开发者设置。然后,您必须遵守以下说明。
You can access the developer settings if you tap a builder number seven times in your Android settings. Then you must adhere to the instructions below.
1.首先,你需要进入设备的 "开发者 "选项。
2.然后,进入主菜单。
3.您需要找到 "启用蓝牙HCI窥探日志 "复选框。
4.找到复选框后,点击它启动日志。之后,在导出最终文件前需要再次停止。
5.最终日志将存储为名为 btsnoop_hci.log 的文件。它将存储在设备的 SD 或 USD 中。
1. First, you need to get access to the Developer options of your device.
2. After that, you need to get to the Main Menu.
3. You need to locate the checkbox that says Enable Bluetooth HCI Snoop Log.
4. After locating that checkbox, you need to click on it to start the log. After that, you need to stop that again before you export the final file.
5. The final log will be stored as a file named btsnoop_hci.log. It will be stored in your device’s SD or USD.
您需要记住,要访问该文件,您需要使用特定的网络协议分析软件。打开文件前,需要将文件重命名为 *.cap,然后通过软件进行处理。您将查看主机控制器接口协议,并分析它们是否存在安全漏洞或损坏。
You need to remember that to gain access to the file; you will need the particular network protocol analysis software. You need to rename the files to *.cap before opening them, and then you should process them through the software. You will view the host controller interface protocols and analyze them for security breaches or corruption.
Viewing HCI Logs
查看HCI logs
您将有两个选项来查看和检索 HCI 日志。它们是:
1,第一种方法是将安卓设备与台式电脑连接,然后找到存储在可挂载驱动器中的文件。这样,你就可以导出并查看蓝牙人机交互窥探日志。找到文件后,需要将其导出到第三方协议分析软件。
2,导出和视频蓝牙人机交互窥探日志的第二种方法是使用安卓设备中的调试桥接器。它已预装在设备上。要使用此技术,请遵守以下指南。
3,首先,您需要在设置中点击七次 "构建编号 "来访问 "设置"。然后在主菜单中找到调试桥接器。
4,随后,您需要将设备连接到台式电脑。
5,然后打开命令终端,运行 SDB 设备。之后,你会看到你的安卓设备出现在屏幕上的列表中。
6,最后,复制命令并粘贴到终端,调出设备的蓝牙人机交互窥探日志。
You will have two options to view and retrieve the HCI logs. Those are:
1. The first method would be connecting the android device with the desktop computer and then locating the files stored in the mountable drives. That way, you can export and view the Bluetooth HCI snoop logs. After locating the file, you need to export it to the third-party protocol analysis software.
2. The second method to export and video the Bluetooth HCI snoop logs is using the debugging bridge in your android. It comes preloaded on the device. To utilize this technique, adhere to the guidelines below.
3. First, you need to tap the builder name seven times in your settings to access the Settings. Then in the Main Menu, you need to find the Debugging Bridge.
4.Following that, you need to connect your device to the desktop computer.
5.You will then open the command terminal and run the SDB devices. After which, you will see your android device appear in the list on the screen.
6.Finally, you should copy the command and then paste that into the terminal, pulling up your device’s Bluetooth HCI snoop log.
What Is the Relation Between Wireshark Software and Bluetooth HCI Snoop Logs?
Wireshark 软件与蓝牙HCI窥探日志之间的关系是,Wireshark 软件捕获数据包,就像蓝牙HCI窥探日志一样,并将其存储起来。这些数据存储在独立的文件中,随后可以对其进行访问和分析。
The relation between Wireshark software and Bluetooth HCI snoop logs is that the Wireshark software captures the data packets like Bluetooth HCI snoop logs and stores them. The data is stored in discreet files, which can later be accessed and analyzed.
Wireshark 是使用最广泛的数据包嗅探软件。该软件的功能是:
1,它从网络连接中收集信息并进行分析。由无数数据包组成的数据流量截图会一次性生成。
2,Wireshark 软件还使用过滤器。软件使用过滤器来处理信息。这些过滤器用于缩小分析范围。首先,您要将部分信息单独列出,然后再缩小分析范围。
3,该软件可以简化复杂的信息。它可以将信息简化为每个人都能轻松理解的视觉效果。整个对话可以很容易地处理成可用的、简洁的信息。
Wireshark is the most widely used software to sniff data packets. The function of this software is:
1. It collects the information and then analyzes it from the network connection. The screenshot of the data traffic made from numerous packets is created at once.
2. The Wireshark software also uses filters. The filters are used by the software to process the information. These filters are used to narrow down the analysis. You will first single out the bits of the information, and then you can narrow down your analysis that way.
3. This software can simplify complex information. It does that by simplifying that information into visuals that everyone easily understands. The entire conversation can be easily processed into useable and clean information bits.
通过 Wireshark 软件,您可以随时潜入设备,获取内部数据。该软件非常常见,因为它比其他软件安全得多。它被许多机构、公司和企业广泛使用,因此您可以放心使用,无需担心任何安全问题。
The Wireshark software allows you to dive into your device and pull out the inner data whenever needed. This software is quite common since it is much safer than the others. It is widely used by many agencies, companies, and corporations, so you can use it without having any security concerns.
Conclusion 总结
让我们在此总结一下文章中的一些要点,以便您今后轻松记忆。
-
btsnoop_hci 日志也称为蓝牙主机控制器接口,是一个日志文件,可为安全分析师和开发人员提供访问蓝牙主机控制器接口数据包的权限。
-
蓝牙HCI日志的功能是存储设备上通过蓝牙发送的所有传输。
-
主机控制器接口日志记录了系统中执行的所有进程。主机控制器接口是控制器与蓝牙协议栈主机之间的中介。
-
Wireshark 软件会捕获数据包,如蓝牙HCI窥探日志,并将其存储起来。数据存储在独立的文件中,随后可以对其进行访问和分析。
-
在大多数情况下,安卓设备中已经安装了HCI日志记录软件。如果您使用的是安卓 4.4 之前版本的手机,则应首先下载第三方应用程序来实现该功能。
Let us summarize some of the essential points from the article here so that you can easily remember them in the future.
* The btsnoop_hci log, also called the Bluetooth host controller interface, is a log file that provides security analysts and developers access to the Bluetooth host controller interface packets.
* The function of the Bluetooth HCI logs is to store all the transmissions sent through Bluetooth on your device.
* The Host controller interfaces log records of all the processes performed in your system. The host controller interface is an intermediary between the controller and the Bluetooth protocol stack host elements.
* The Wireshark software captures the data packets like Bluetooth HCI snoop logs and stores them. The data is stored in discreet files, which can later be accessed and analyzed.
* In most cases, the android devices are made with HCI logging software already present in them. If you use a phone that predates android 4.4+, you should first download a third-party app.
蓝牙 HCI 侦听日志是通过蓝牙主机控制器接口备份和发送的传输记录。这些日志存储在设备上。您可以随时使用数据分析软件(如 Wireshark 软件)导出并查看这些日志。
The Bluetooth HCI snoop logs are the transmission records backed up and sent through the Bluetooth host controller interface. These logs are stored on your device. You can always export and view these logs using data analysis software such as the Wireshark software.
参考:
1,Frontline
BT Snoop File Format
2,Positioniseverything
Btsnoop_hci Log: Different Ways to Export and View the Logs - Position Is Everything
![[word] word分割线在哪里设置 #其他#经验分享](https://img-blog.csdnimg.cn/img_convert/c8b08df8bc6e04028bb4e70f398294f3.gif)
