Last November, we wrote about the WCH BLE Analyzer Pro, an inexpensive (~$20) USB Bluetooth LE sniffer and analyzer, which looked useful and good value for reverse engineering and debugging.
One downside is that the WCH BLE Analyzer software was only made for Windows 7 to 11, but Xecaz decided to look into it and reverse-engineered the USB protocol to write Linux software using libusb that outputs a standard pcap compatible with popular tools such as Wireshark, or as he puts it: “WinChipHead forgot to ship a Linux driver. We forgot to ask permission.”
The Linux “driver” for the BLE Analyzer Pro tool can be found on GitHub. Building and installing the software is quick and straightforward:
|
1 2 3 4 5 6 |
git clone https://github.com/xecaz/BLE-Analyzer-pro-linux-capture cd BLE-Analyzer-pro-linux-capture/ sudo apt install libusb-1.0-0-dev make sudo make install sudo udevadm control --reload-rules && sudo udevadm trigger |
You can check the option by running the program without parameters:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
jaufranc@CNX-LAPTOP-5:~/edev/sandbox/BLE-Analyzer-pro-linux-capture$ ./wch_capture Nothing to do – use -v and/or -w FILE.pcap WCH BLE Analyzer PRO Linux Capture tool by Xecaz 2026! Usage: ./wch_capture [OPTIONS] Options: -v Print packets to stdout -w FILE.pcap Write PCAP (DLT 256, BLE LL + phdr) -p PHY PHY: 1=1M (default), 2=2M, 3=CodedS8, 4=CodedS2 -i ADDR Initiator MAC filter (AA:BB:CC:DD:EE:FF) -a ADDR Advertiser MAC filter (AA:BB:CC:DD:EE:FF) -k KEY LTK, 32 hex chars -K PASSKEY BLE passkey (6-digit decimal) -2 Custom 2.4G mode (default: BLE monitor) -c CHAN Channel 0-39: BLE adv 37/38/39 or 0=all (auto per MCU); 2.4G raw -A AADDR 2.4G access addr (hex, e.g. 8E89BED6) -C CRCINIT 2.4G CRC init (6 hex chars, e.g. 555555) -W WHITEN 2.4G whitening init (hex byte) -h Show this help Capture stops on SIGINT (Ctrl+C) or SIGTERM. |
I don’t have a unit, but it can be used as follows:
|
1 |
sudo ./wch_capture -v -w capture.pcap |
Then you can open the capture.cap file in Wireshark for further analysis. All three MCUs capture simultaneously on channels 37/38/39, and Wireshark decodes ADV_IND, ADV_NONCONN_IND, ADV_SCAN_IND, SCAN_REQ, SCAN_RSP, CONNECT_IND, OUI lookups, etc. If you want to learn more about the reverse-engineering process, I recommend reading the “RE_PROCESS.md” file on GitHub. An Android app is also being worked on, and Xecaz welcomes testers before releasing the app publicly.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress. We also use affiliate links in articles to earn commissions if you make a purchase after clicking on those links.
