├── .gitignore
├── LICENSE
├── README.md
└── btsnoop
    ├── __init__.py
    ├── android
        ├── __init__.py
        ├── executor.py
        ├── phone.py
        └── snoopphone.py
    ├── bt
        ├── __init__.py
        ├── att.py
        ├── hci.py
        ├── hci_acl.py
        ├── hci_cmd.py
        ├── hci_evt.py
        ├── hci_sco.py
        ├── hci_uart.py
        ├── l2cap.py
        └── smp.py
    └── btsnoop
        ├── __init__.py
        └── btsnoop.py


/.gitignore:
--------------------------------------------------------------------------------
1 | *.pyc
2 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Original work Copyright (c) 2013 robotika.cz
 4 | Modified work Copyright (c) 2015 Tomas Nilsson
 5 | 
 6 | Permission is hereby granted, free of charge, to any person obtaining a copy
 7 | of this software and associated documentation files (the "Software"), to deal
 8 | in the Software without restriction, including without limitation the rights
 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | copies of the Software, and to permit persons to whom the Software is
11 | furnished to do so, subject to the following conditions:
12 | 
13 | The above copyright notice and this permission notice shall be included in all
14 | copies or substantial portions of the Software.
15 | 
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 | SOFTWARE.
23 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | btsnoop
  2 | =======
  3 | 
  4 | Parsing module for BtSnoop packet capture files and encapsulated Bluetooth packets
  5 | 
  6 | Documentation
  7 | -------------
  8 | 
  9 | Specifications
 10 | - BtSnoop format
 11 | 	- http://tools.ietf.org/html/rfc1761
 12 | 	- http://www.fte.com/webhelp/NFC/Content/Technical_Information/BT_Snoop_File_Format.htm
 13 | - Bluetooth specification
 14 | 	- https://www.bluetooth.org/en-us/specification/adopted-specifications
 15 | 
 16 | Module overview
 17 | ---------------
 18 | 
 19 | The `btsnoop` module contains three submodules; `android`, `bt` and `btsnoop`.
 20 | 
 21 | The `android` submodule contains functionality for connecting to, and fetching data from, an Android device. It requires an installation of the Android `adb` tool available in `PATH`.
 22 | 
 23 | The `btsnoop` submodule contains functionality for parsing a btsnoop file.
 24 | 
 25 | The `bt` submodule contains functionality for parsing the Bluetooth data parsed from the btsnoop file.
 26 | 
 27 | Usage
 28 | -----
 29 | 
 30 | ### android
 31 | 
 32 | Getting the btsnoop log from an android device
 33 | 
 34 | ```python
 35 | >>> import os
 36 | >>> from btsnoop.android.snoopphone import SnoopPhone
 37 | >>>
 38 | >>> phone = SnoopPhone()
 39 | >>> filename = phone.pull_btsnoop()
 40 | >>>
 41 | >>> print filename
 42 | /tmp/tmp7t971D/btsnoop_hci.log
 43 | ```
 44 | 
 45 | You can also specify the output file
 46 | 
 47 | ```python
 48 | >>> import os
 49 | >>> from btsnoop.android.snoopphone import SnoopPhone
 50 | >>>
 51 | >>> phone = SnoopPhone()
 52 | >>> home = os.path.expanduser("~")
 53 | >>> dst = os.path.join(home, 'tmp', 'mysnoop.log')
 54 | >>> filename = phone.pull_btsnoop(dst)
 55 | >>>
 56 | >>> print filename
 57 | /home/joekickass/tmp/mysnoop.log
 58 | ```
 59 | 
 60 | ### btsnoop
 61 | 
 62 | Parsing a btsnoop capture file
 63 | 
 64 | ```python
 65 | >>> import os
 66 | >>> import btsnoop.btsnoop.btsnoop as bts
 67 | >>>
 68 | >>> home = os.path.expanduser("~")
 69 | >>> filename = os.path.join(home, 'tmp', 'mysnoop.log')
 70 | >>>
 71 | >>> records = bts.parse(filename)
 72 | >>>
 73 | >>> print len(records)
 74 | 24246
 75 | >>> print records[0]
 76 | (1, 4, 2, datetime.datetime(2015, 4, 2, 6, 29, 25, 914577), '\x01\x03\x0c\x00')
 77 | >>> print records[24245]
 78 | (24246, 8, 3, datetime.datetime(2015, 4, 2, 9, 9, 57, 655656), '\x04\x13\x05\x01@\x00\x01\x00')
 79 | ```
 80 | 
 81 | Some of the information in a record can be printed as human readable strings
 82 | 
 83 | ```python
 84 | >>> import btsnoop.btsnoop.btsnoop as bts
 85 | ...
 86 | >>> print len(records)
 87 | 24246
 88 | >>> print records[0]
 89 | (1, 4, 2, datetime.datetime(2015, 4, 2, 6, 29, 25, 914577), '\x01\x03\x0c\x00')
 90 | >>> record = records[0]
 91 | >>> seq_nbr = record[0]
 92 | >>> pkt_len = record[1]
 93 | >>> flags = bts.flags_to_str(record[2])
 94 | >>> timestamp = record[3]
 95 | >>> data = record[4]
 96 | >>> print seq_nbr
 97 | 1
 98 | >>> print pkt_len
 99 | 4
100 | >>> print flags
101 | ('host', 'controller', 'command')
102 | >>> print timestamp
103 | 2015-04-02 06:29:25.914577
104 | >>> print data
105 | '\x01\x03\x0c\x00'
106 | ```
107 | 
108 | ### bt
109 | 
110 | This is the fun stuff. The data contained in a btsnoop record can be parsed using the `bt` submodule.
111 | 
112 | Parse HCI UART type. This is the first byte of the payload. It tells us what type of HCI packet that is contained in the record.
113 | 
114 | ```python
115 | >>> import btsnoop.bt.hci_uart as hci_uart
116 | >>> import btsnoop.bt.hci as hci
117 | >>>
118 | >>> rec_data = '\x01\x03\x0c\x00'
119 | >>>
120 | >>> hci_type, data = hci_uart.parse(rec_data)
121 | >>>
122 | >>> print hci_type
123 | 1
124 | >>> print data
125 | '\x03\x0c\x00'
126 | >>> print hci_uart.type_to_str(hci_type)
127 | HCI_CMD
128 | ```
129 | 
130 | Parse a HCI command packet. We need to specify HCI type as described in the HCI UART  example.
131 | 
132 | ```python
133 | >>> import btsnoop.bt.hci as hci
134 | >>> import btsnoop.bt.hci_cmd as hci_cmd
135 | >>>
136 | >>> hci_type = 1
137 | >>> hci_data = '\x03\x0c\x00'
138 | >>>
139 | >>> opcode, length, data = hci.parse(hci_type, hci_data)
140 | >>> 
141 | >>> print opcode
142 | 3075
143 | >>> print length
144 | 0
145 | >>> print data
146 | 
147 | >>> print hci_cmd.cmd_to_str(opcode)
148 | COMND Reset
149 | ```
150 | 
151 | Parse a HCI event packet. We need to specify HCI type as described in the HCI UART example.
152 | 
153 | ```python
154 | >>> import btsnoop.bt.hci as hci
155 | >>> import btsnoop.bt.hci_evt as hci_evt
156 | >>>
157 | >>> hci_type = 4
158 | >>> hci_data = '\x13\x05\x01@\x00\x01\x00'
159 | >>>
160 | >>> ret = hci.parse(hci_type, hci_data)
161 | >>> print len(ret)
162 | 3
163 | >>> 
164 | >>> evtcode, length, data = ret
165 | >>> print evtcode
166 | 19
167 | >>> print length
168 | 5
169 | >>> print data
170 | '\x01@\x00\x01\x00'
171 | >>> print hci_evt.evt_to_str(evtcode)
172 | EVENT Number_Of_Completed_Packets
173 | ```
174 | 
175 | Parse a HCI ACL packet. We need to specify HCI type as described in the HCI UART example.
176 | 
177 | ```python
178 | >>> import btsnoop.bt.hci as hci
179 | >>> import btsnoop.bt.hci_acl as hci_acl
180 | >>>
181 | >>> hci_type = 2
182 | >>> hci_data = '@ \x07\x00\x03\x00\x04\x00\x0b@\x04'
183 | >>>
184 | >>> ret = hci.parse(hci_type, hci_data)
185 | >>> print len(ret)
186 | 5
187 | >>>
188 | >>> handle, pb, bc, length, data = ret
189 | >>> print handle
190 | 64
191 | >>> print pb
192 | 2
193 | >>> print data
194 | '\x00\x03\x00\x04\x00\x0b@\x04'
195 | >>> print hci_acl.pb_to_str(pb)
196 | ACL_PB START_AUTO_L2CAP_PDU
197 | ```
198 | 
199 | ### More complex samples
200 | 
201 | ```python
202 | import sys
203 | import binascii
204 | import string
205 | from prettytable import PrettyTable
206 | 
207 | import btsnoop.btsnoop.btsnoop as btsnoop
208 | import btsnoop.bt.hci_uart as hci_uart
209 | import btsnoop.bt.hci_cmd as hci_cmd
210 | import btsnoop.bt.hci_evt as hci_evt
211 | import btsnoop.bt.hci_acl as hci_acl
212 | import btsnoop.bt.l2cap as l2cap
213 | import btsnoop.bt.att as att
214 | import btsnoop.bt.smp as smp
215 | 
216 | def get_rows(records):
217 | 
218 |     rows = []
219 |     for record in records:
220 | 
221 |         seq_nbr = record[0]
222 |         time = record[3].strftime("%b-%d %H:%M:%S.%f")
223 | 
224 |         hci_pkt_type, hci_pkt_data = hci_uart.parse(record[4])
225 |         hci = hci_uart.type_to_str(hci_pkt_type)
226 | 
227 |         if hci_pkt_type == hci_uart.HCI_CMD:
228 |             
229 |             opcode, length, data = hci_cmd.parse(hci_pkt_data)
230 |             cmd_evt_l2cap = hci_cmd.cmd_to_str(opcode)
231 | 
232 |         elif hci_pkt_type == hci_uart.HCI_EVT:
233 |             
234 |             hci_data = hci_evt.parse(hci_pkt_data)
235 |             evtcode, data = hci_data[0], hci_data[-1]
236 |             cmd_evt_l2cap = hci_evt.evt_to_str(evtcode)
237 | 
238 |         elif hci_pkt_type == hci_uart.ACL_DATA:
239 |             
240 |             hci_data = hci_acl.parse(hci_pkt_data)
241 |             l2cap_length, l2cap_cid, l2cap_data = l2cap.parse(hci_data[2], hci_data[4])
242 | 
243 |             if l2cap_cid == l2cap.L2CAP_CID_ATT:
244 | 
245 |                 att_opcode, att_data = att.parse(l2cap_data)
246 |                 cmd_evt_l2cap = att.opcode_to_str(att_opcode)
247 |                 data = att_data
248 | 
249 |             elif l2cap_cid == l2cap.L2CAP_CID_SMP:
250 | 
251 |                 smp_code, smp_data = smp.parse(l2cap_data)
252 |                 cmd_evt_l2cap = smp.code_to_str(smp_code)
253 |                 data = smp_data
254 | 
255 |             elif l2cap_cid == l2cap.L2CAP_CID_SCH or l2cap_cid == l2cap.L2CAP_CID_LE_SCH:
256 | 
257 |                 sch_code, sch_id, sch_length, sch_data = l2cap.parse_sch(l2cap_data)
258 |                 cmd_evt_l2cap = l2cap.sch_code_to_str(sch_code)
259 |                 data = sch_data
260 | 
261 |         data = binascii.hexlify(data)
262 |         data = len(data) > 30 and data[:30] + "..." or data  
263 | 
264 |         rows.append([seq_nbr, time, hci, cmd_evt_l2cap, data])
265 | 
266 |     return rows
267 | 
268 | 
269 | def main(filename):
270 |     """
271 |     Parse a btsnoop log and print relevant data in a table
272 | 
273 |     Note: Using an old version of PrettyTable.
274 |     """
275 | 
276 |     table = PrettyTable(['No.', 'Time', 'HCI', 'CMD/EVT/L2CAP', 'Data'])
277 |     table.aligns[3] = 'l'
278 |     table.aligns[4] = 'l'
279 |     
280 |     records = btsnoop.parse(filename)
281 |     rows = get_rows(records)
282 |     [table.add_row(r) for r in rows]
283 | 
284 |     print table
285 | 
286 | 
287 | if __name__ == "__main__":
288 |     if len(sys.argv) == 2:
289 |         main(sys.argv[1])
290 |     else:
291 |         sys.exit(-1)
292 | ```
293 | 


--------------------------------------------------------------------------------
/btsnoop/__init__.py:
--------------------------------------------------------------------------------
 1 | #
 2 | # btsnoop module
 3 | #
 4 | # TODO: Move stuff here to their corresponding modules
 5 | #
 6 | import binascii
 7 | import btsnoop.btsnoop as bts
 8 | import bt.hci_cmd as hci_cmd
 9 | import bt.hci_uart as hci_uart
10 | 
11 | from android.snoopphone import SnoopPhone
12 | 
13 | 
14 | def get_ltk(path=None):
15 | 	"""
16 | 	Get the Long Term Key
17 | 	"""
18 | 	records = get_records(path=path)
19 | 	cmds = get_cmds(records)
20 | 	start_enc_cmds = filter(lambda (opcode, length, data): opcode == 0x2019, cmds)
21 | 	ltks = map(lambda (opcode, length, data): binascii.hexlify(data)[-32:], start_enc_cmds)
22 | 	last_ltk = len(ltks) != 0 and ltks[-1] or ""
23 | 	return "".join(map(str.__add__, last_ltk[1::2] ,last_ltk[0::2]))
24 | 
25 | 
26 | def get_rand_addr(path=None):
27 | 	"""
28 | 	Get the Host Private Random Address
29 | 	"""
30 | 	records = get_records(path=path)
31 | 	cmds = get_cmds(records)
32 | 	set_rand_addr = filter(lambda (opcode, length, data): opcode == 0x2005, cmds)
33 | 	addrs = map(lambda (opcode, length, data): binascii.hexlify(data)[-12:], set_rand_addr)
34 | 	last_addr = len(addrs) != 0 and addrs[-1] or ""
35 | 	return "".join(map(str.__add__, last_addr[1::2], last_addr[0::2]))
36 | 
37 | 
38 | def get_records(path=None):
39 | 	if not path:
40 | 		path = _pull_log()
41 | 	return bts.parse(path)
42 | 
43 | 
44 | def get_cmds(records):
45 | 	hci_uarts = map(lambda record: hci_uart.parse(record[4]), records)
46 | 	hci_cmds = filter(lambda (hci_type, hci_data): hci_type == hci_uart.HCI_CMD, hci_uarts)
47 | 	return map(lambda (hci_type, hci_data): hci_cmd.parse(hci_data), hci_cmds)
48 | 
49 | 
50 | def _pull_log():
51 | 	"""
52 | 	Pull the btsnoop log from a connected phone
53 | 	"""
54 | 	phone = SnoopPhone()
55 | 	return phone.pull_btsnoop()


--------------------------------------------------------------------------------
/btsnoop/android/__init__.py:
--------------------------------------------------------------------------------
1 | from . import executor
2 | from . import phone
3 | from . import snoopphone


--------------------------------------------------------------------------------
/btsnoop/android/executor.py:
--------------------------------------------------------------------------------
 1 | import subprocess
 2 | 
 3 | 
 4 | class Executor(object):
 5 |     """
 6 |     Wrapper for subprocess
 7 |     """
 8 | 
 9 |     def __init__(self, command):
10 |         self.cmd = command
11 | 
12 |     def execute(self):
13 |         """
14 |         Executes the given command
15 | 
16 |         Returns a tuple of (exit code, stdout+stderr)
17 |         """
18 |         ret = ''
19 |         exit_code = 0
20 |         try:
21 |             ret = subprocess.check_output(self.cmd, stderr=subprocess.STDOUT, shell=True)
22 |             ret = ret.rstrip()
23 |         except subprocess.CalledProcessError as error:
24 |             exit_code = error.returncode
25 |             ret = error.output.rstrip()
26 |         return exit_code, ret
27 | 


--------------------------------------------------------------------------------
/btsnoop/android/phone.py:
--------------------------------------------------------------------------------
 1 | from __future__ import unicode_literals
 2 | from executor import Executor
 3 | 
 4 | class Phone(object):
 5 | 
 6 |     def __init__(self, serial=None):
 7 |         self.serial = serial
 8 | 
 9 |     def shell(self, cmd):
10 |         cmd = "adb shell " + cmd
11 |         ret, out = Executor(cmd).execute()
12 |         if ret != 0:
13 |             raise ValueError("Could not execute adb shell " + cmd)
14 |         return out
15 | 
16 |     def pull(self, src, dst):
17 |         cmd = "adb pull " + src + " " + dst
18 |         return Executor(cmd).execute()
19 | 
20 |     def push(self, src, dst):
21 |         cmd = "adb push " + src + " " + dst
22 |         return Executor(cmd).execute()
23 | 
24 |     def ls(self, path):
25 |         out = self.shell("ls " + path)
26 |         return out.splitlines()
27 | 
28 |     def start_app(self, pkg_name):
29 |         cmd = 'monkey -p ' + pkg_name + ' -c android.intent.category.LAUNCHER 1'
30 |         self.shell(cmd)


--------------------------------------------------------------------------------
/btsnoop/android/snoopphone.py:
--------------------------------------------------------------------------------
 1 | import os
 2 | import tempfile
 3 | import ConfigParser
 4 | 
 5 | from phone import Phone
 6 | 
 7 | 
 8 | BTSTACK_CONFIG_FILE = 'bt_stack.conf'
 9 | # Needs to always be in UNIX format, hence no os.path.join
10 | BTSTACK_CONFIG_PATH = '/etc/bluetooth/' + BTSTACK_CONFIG_FILE
11 |  
12 | BTSNOOP_FALLBACK_FILE = 'btsnoop_hci.log'
13 | # Needs to always be in UNIX format, hence no os.path.join
14 | BTSNOOP_FALLBACK_PATH = '/sdcard/' + BTSNOOP_FALLBACK_FILE
15 | 
16 | 
17 | class SnoopPhone(Phone):
18 | 
19 |     def __init__(self, serial=None):
20 |         super(SnoopPhone, self).__init__(serial=serial)
21 |         self._tmp_dir = tempfile.mkdtemp()
22 | 
23 |     def pull_btsnoop(self, dst=None):
24 |         
25 |         btsnoop_path, btsnoop_file = self._locate_btsnoop()
26 | 
27 |         if not dst:
28 |             dst = os.path.join(self._tmp_dir, btsnoop_file)
29 | 
30 |         ret = super(SnoopPhone, self).pull(btsnoop_path, dst)
31 |         if ret[0] == 0:
32 |             print ret[1] + " " + dst 
33 |             return dst
34 |         else:
35 |             return None
36 | 
37 |     def _locate_btsnoop(self):
38 |         tmp_config_path = self._pull_btconfig()
39 |         config = self._parse_btconfig(tmp_config_path)
40 |         try:
41 |             btsnoop_path = config['btsnoopfilename']
42 |             return btsnoop_path, os.path.basename(btsnoop_path)
43 |         except:
44 |             return BTSNOOP_FALLBACK_PATH, BTSNOOP_FALLBACK_FILE
45 | 
46 |     def _parse_btconfig(self, path):
47 |         if not os.path.exists(path):
48 |             raise ValueError("Failed to read bt_stack.conf")
49 | 
50 |         # Needed because ConfigParser won't work without at least one header
51 |         class DummyHeaderFile(object):
52 |             def __init__(self, fp):
53 |                 self.fp = fp
54 |                 self.dummy = '[dummy]\n'
55 | 
56 |             def readline(self):
57 |                 if self.dummy:
58 |                     try: 
59 |                         return self.dummy
60 |                     finally: 
61 |                         self.dummy = None
62 |                 else: 
63 |                     return self.fp.readline()
64 |         
65 |         # Parse key/values
66 |         parser = ConfigParser.SafeConfigParser()
67 |         with open(path, 'r') as f:
68 |             parser.readfp(DummyHeaderFile(f))
69 |             return dict(parser.items('dummy'))
70 | 
71 |     def _pull_btconfig(self):
72 |         dst = os.path.join(self._tmp_dir, BTSTACK_CONFIG_FILE)
73 |         retcode, out = super(SnoopPhone, self).pull(BTSTACK_CONFIG_PATH, dst)
74 |         if retcode == 0:
75 |             return dst
76 |         else:
77 |             raise ValueError("Failed to pull bt_stack.conf")


--------------------------------------------------------------------------------
/btsnoop/bt/__init__.py:
--------------------------------------------------------------------------------
1 | from . import hci
2 | from . import hci_uart
3 | from . import hci_cmd
4 | from . import hci_evt
5 | from . import hci_sco
6 | from . import hci_acl
7 | from . import l2cap
8 | from . import att
9 | from . import smp


--------------------------------------------------------------------------------
/btsnoop/bt/att.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Parse ATT packets
 3 | """
 4 | import struct
 5 | 
 6 | 
 7 | """
 8 | ATT PDUs
 9 | 
10 | References can be found here:
11 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
12 |     ** [vol 3] Part F (Section 3.4.8) - Attribute Opcode Summary
13 | """
14 | ATT_PDUS = {
15 |         0x01 : "ATT Error_Response",
16 |         0x02 : "ATT Exchange_MTU_Request",
17 |         0x03 : "ATT Exchange_MTU_Response",
18 |         0x04 : "ATT Find_Information_Request",
19 |         0x05 : "ATT Find_Information_Response",
20 |         0x06 : "ATT Find_By_Type_Value_Request",
21 |         0x07 : "ATT Find_By_Type_Value_Response",
22 |         0x08 : "ATT Read_By_Type_Request",
23 |         0x09 : "ATT Read_By_Type_Response",
24 |         0x0A : "ATT Read_Request",
25 |         0x0B : "ATT Read_Response",
26 |         0x0C : "ATT Read_Blob_Request",
27 |         0x0D : "ATT Read_Blob_Response",
28 |         0x0E : "ATT Read_Multiple_Request",
29 |         0x0F : "ATT Read_Multiple_Response",
30 |         0x10 : "ATT Read_By_Group_Type_Request",
31 |         0x11 : "ATT Read_By_Group_Type_Response",
32 |         0x12 : "ATT Write_Request",
33 |         0x13 : "ATT Write_Response",
34 |         0x52 : "ATT Write_Command",
35 |         0xD2 : "ATT Signed_Write_Command",
36 |         0x16 : "ATT Prepare_Write_Request",
37 |         0x17 : "ATT Prepare_Write_Response",
38 |         0x18 : "ATT Execute_Write_Request",
39 |         0x19 : "ATT Execute_Write_Response",
40 |         0x1B : "ATT Handle_Value_Notification",
41 |         0x1D : "ATT Handle_Value_Indication",
42 |         0x1E : "ATT Handle_Value_Confirmation"
43 |     }
44 | 
45 | 
46 | def parse(data):
47 |     """
48 |     Attribute opcode is the first octet of the PDU
49 | 
50 |      0 1 2 3 4 5 6 7
51 |     -----------------
52 |     |   att opcode  |
53 |     -----------------
54 |     |     a     |b|c|
55 |     -----------------
56 |     a - method
57 |     b - command flag
58 |     c - authentication signature flag
59 | 
60 |     References can be found here:
61 |         * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
62 |         ** [vol 3] Part F (Section 3.3) - Attribute PDU
63 | 
64 |     Return a tuple (opcode, data)
65 |     """
66 |     opcode = struct.unpack("<B", data[:1])[0]
67 |     return (opcode, data[1:])
68 | 
69 | 
70 | def opcode_to_str(opcode):
71 |     """
72 |     Return a string representing the ATT PDU opcode
73 |     """
74 |     return ATT_PDUS[opcode]


--------------------------------------------------------------------------------
/btsnoop/bt/hci.py:
--------------------------------------------------------------------------------
 1 | """
 2 |   Parse hci packet information from binary string
 3 | """
 4 | import sys
 5 | import struct
 6 | import hci_uart
 7 | import hci_cmd
 8 | import hci_evt
 9 | import hci_acl
10 | import hci_sco
11 | 
12 | 
13 | PKT_TYPE_PARSERS = {hci_uart.HCI_CMD : hci_cmd.parse,
14 |                     hci_uart.ACL_DATA : hci_acl.parse,
15 |                     hci_uart.SCO_DATA : hci_sco.parse,
16 |                     hci_uart.HCI_EVT : hci_evt.parse}
17 | 
18 | 
19 | def parse(hci_pkt_type, data):
20 |     """
21 |     Convenience method for switching between parsing methods based on type
22 |     """
23 |     parser = PKT_TYPE_PARSERS[hci_pkt_type]
24 |     if parser is None:
25 |         raise ValueError("Illegal HCI packet type")
26 |     return parser(data)


--------------------------------------------------------------------------------
/btsnoop/bt/hci_acl.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Parse HCI ACL packets
 3 | """
 4 | import struct
 5 | import ctypes
 6 | from ctypes import c_uint
 7 | 
 8 | 
 9 | """
10 | ACL handle is 12 bits, followed by 2 bits packet boundary flags and 2
11 | bits broadcast flags.
12 | 
13 |  0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
14 | -----------------------------------------------------------------
15 | |            handle     |pb |bc |             length            |
16 | -----------------------------------------------------------------
17 | 
18 | References can be found here:
19 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
20 |     ** [vol 2] Part E (Section 5.4.2) - HCI ACL Data Packets
21 | """
22 | class ACL_HEADER_BITS( ctypes.LittleEndianStructure ):
23 |     _fields_ = [("handle",  c_uint,  12),
24 |                 ("pb",      c_uint,  2 ),
25 |                 ("bc",      c_uint,  2 ),
26 |                 ("length",  c_uint,  16)]
27 | 
28 | class ACL_HEADER( ctypes.Union ):
29 |     """
30 |     This is a trick for converting bitfields to separate values
31 |     """
32 |     _fields_ = [("b", ACL_HEADER_BITS),
33 |                 ("asbyte", c_uint)]
34 | 
35 | 
36 | """
37 | Packet Boundary flag
38 | 
39 | References can be found here:
40 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
41 |     ** [vol 2] Part E (Section 5.4.2) - HCI ACL Data Packets
42 | """
43 | PB_START_NON_AUTO_L2CAP_PDU = 0
44 | PB_CONT_FRAG_MSG = 1
45 | PB_START_AUTO_L2CAP_PDU = 2
46 | PB_COMPLETE_L2CAP_PDU = 3
47 | 
48 | 
49 | PB_FLAGS = {
50 |         PB_START_NON_AUTO_L2CAP_PDU : "ACL_PB START_NON_AUTO_L2CAP_PDU",
51 |         PB_CONT_FRAG_MSG : "ACL_PB CONT_FRAG_MSG",
52 |         PB_START_AUTO_L2CAP_PDU : "ACL_PB START_AUTO_L2CAP_PDU",
53 |         PB_COMPLETE_L2CAP_PDU : "ACL_PB COMPLETE_L2CAP_PDU"
54 |     }
55 | 
56 | 
57 | def parse(data):
58 |     """
59 |     Parse HCI ACL data
60 | 
61 |     References can be found here:
62 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
63 |     ** [vol 2] Part E (Section 5) - HCI Data Formats
64 |     ** [vol 2] Part E (Section 5.4) - Exchange of HCI-specific information
65 | 
66 |     """
67 |     hdr = ACL_HEADER()
68 |     hdr.asbyte = struct.unpack("<I", data[:4])[0]
69 |     handle = int(hdr.b.handle)
70 |     pb = int(hdr.b.pb)
71 |     bc = int(hdr.b.bc)
72 |     length = int(hdr.b.length)
73 |     return (handle, pb, bc, length, data[4:])
74 | 
75 | 
76 | def pb_to_str(pb):
77 |     """
78 |     Return a string representing the packet boundary flag
79 |     """
80 |     assert pb in [0, 1, 2, 3]
81 |     return PB_FLAGS[pb]


--------------------------------------------------------------------------------
/btsnoop/bt/hci_cmd.py:
--------------------------------------------------------------------------------
  1 | """
  2 |   Parse hci commands
  3 | """
  4 | import struct
  5 | 
  6 | 
  7 | """
  8 | OpCodes and names for HCI commands according to the Bluetooth specification
  9 | 
 10 | OpCode is 2 bytes, of which OGF is the upper 6 bits and OCF is the lower 10 bits.
 11 | 
 12 |  0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
 13 | -------------------------------------------------
 14 | |            opcode             |    length     |
 15 | -------------------------------------------------
 16 | |        OCF        |    OGF    |
 17 | ---------------------------------
 18 | """
 19 | HCI_COMMANDS = {
 20 |         0x0401 : "COMND Inquiry",
 21 |         0x0402 : "COMND Inquiry_Cancel",
 22 |         0x0403 : "COMND Periodic_Inquiry_Mode",
 23 |         0x0404 : "COMND Exit_Periodic_Inquiry_Mode",
 24 |         0x0405 : "COMND Create_Connection",
 25 |         0x0406 : "COMND Disconnect",
 26 |         0x0408 : "COMND Create_Connection_Cancel",
 27 |         0x0409 : "COMND Accept_Connection_Request",
 28 |         0x040a : "COMND Reject_Connection_Request",
 29 |         0x040b : "COMND Link_Key_Request_Reply",
 30 |         0x040c : "COMND Link_Key_Request_Negative_Reply",
 31 |         0x040d : "COMND PIN_Code_Request_Reply",
 32 |         0x040e : "COMND PIN_Code_Request_Negative_Reply",
 33 |         0x040f : "COMND Change_Connection_Packet_Type",
 34 |         0x0411 : "COMND Authentication_Requested",
 35 |         0x0413 : "COMND Set_Connection_Encryption ",
 36 |         0x0415 : "COMND Change_Connection_Link_Key",
 37 |         0x0417 : "COMND Master_Link_Key",
 38 |         0x0419 : "COMND Remote_Name_Request",
 39 |         0x041a : "COMND Remote_Name_Request_Cancel",
 40 |         0x041b : "COMND Read_Remote_Supported_Features",
 41 |         0x041c : "COMND Read_Remote_Extended_Features",
 42 |         0x041d : "COMND Read_Remote_Version_Information",
 43 |         0x041f : "COMND Read_Clock_Offset",
 44 |         0x0420 : "COMND Read_LMP_Handle",
 45 |         0x0428 : "COMND Setup_Synchronous_Connection",
 46 |         0x0429 : "COMND Accept_Synchronous_Connection_Request",
 47 |         0x042a : "COMND Reject_Synchronous_Connection_Request",
 48 |         0x042b : "COMND IO_Capability_Request_Reply",
 49 |         0x042c : "COMND User_Confirmation_Request_Reply",
 50 |         0x042d : "COMND User_Confirmation_Request_Negative_Reply",
 51 |         0x042e : "COMND User_Passkey_Request_Reply",
 52 |         0x042f : "COMND User_Passkey_Request_Negative_Reply",
 53 |         0x0430 : "COMND Remote_OOB_Data_Request_Reply",
 54 |         0x0433 : "COMND Remote_OOB_Data_Request_Negative_Reply",
 55 |         0x0434 : "COMND IO_Capability_Request_Negative_Reply",
 56 |         0x0435 : "COMND Create_Physical_Link",
 57 |         0x0436 : "COMND Accept_Physical_Link",
 58 |         0x0437 : "COMND Disconnect_Physical_Link",
 59 |         0x0438 : "COMND Create_Logical_Link",
 60 |         0x0439 : "COMND Accept_Logical_Link",
 61 |         0x043a : "COMND Disconnect_Logical_Link",
 62 |         0x043b : "COMND Logical_Link_Cancel",
 63 |         0x043c : "COMND Flow_Spec_Modify",
 64 |         0x043d : "COMND Enhanced_Setup_Synchronous_Connection",
 65 |         0x043e : "COMND Enhanced_Accept_Synchronous_Connection_Request",
 66 |         0x043f : "COMND Truncated_Page",
 67 |         0x0440 : "COMND Truncated_Page_Cancel",
 68 |         0x0441 : "COMND Set_Connectionless_Slave_Broadcast",
 69 |         0x0442 : "COMND Set_Connectionless_Slave_Broadcast_Broadcast_Receive",
 70 |         0x0443 : "COMND Start_Synchronization_Train",
 71 |         0x0444 : "COMND Receive_Synchronization_Train",
 72 |         0x0445 : "COMND Remote_OOB_Extended_Data_Request_Reply",
 73 |         0x0801 : "COMND Hold_Mode",
 74 |         0x0803 : "COMND Sniff_Mode",
 75 |         0x0804 : "COMND Exit_Sniff_Mode",
 76 |         0x0805 : "COMND Park_State",
 77 |         0x0806 : "COMND Exit_Park_State",
 78 |         0x0807 : "COMND QoS_Setup",
 79 |         0x0809 : "COMND Role_Discovery",
 80 |         0x080b : "COMND Switch_Role",
 81 |         0x080c : "COMND Read_Link_Policy_Settings",
 82 |         0x080d : "COMND Write_Link_Policy_Settings",
 83 |         0x080e : "COMND Read_Default_Link_Policy_Settings",
 84 |         0x080f : "COMND Write_Default_Link_Policy_Settings",
 85 |         0x0810 : "COMND Flow_Specification",
 86 |         0x0811 : "COMND Sniff_Subrating",
 87 |         0x0c01 : "COMND Set_Event_Mask",
 88 |         0x0c03 : "COMND Reset",
 89 |         0x0c05 : "COMND Set_Event_Filter",
 90 |         0x0c08 : "COMND Flush",
 91 |         0x0c09 : "COMND Read_PIN_Type",
 92 |         0x0c0a : "COMND Write_PIN_Type",
 93 |         0x0c0b : "COMND Create_New_Unit_Key",
 94 |         0x0c0d : "COMND Read_Stored_Link_Key",
 95 |         0x0c11 : "COMND Write_Stored_Link_Key",
 96 |         0x0c12 : "COMND Delete_Stored_Link_Key",
 97 |         0x0c13 : "COMND Write_Local_Name",
 98 |         0x0c14 : "COMND Read_Local_Name",
 99 |         0x0c15 : "COMND Read_Connection_Accept_Timeout",
100 |         0x0c16 : "COMND Write_Connection_Accept_Timeout",
101 |         0x0c17 : "COMND Read_Page_Timeout",
102 |         0x0c18 : "COMND Write_Page_Timeout",
103 |         0x0c19 : "COMND Read_Scan_Enable",
104 |         0x0c1a : "COMND Write_Scan_Enable",
105 |         0x0c1b : "COMND Read_Page_Scan_Activity",
106 |         0x0c1c : "COMND Write_Page_Scan_Activity",
107 |         0x0c1d : "COMND Read_Inquiry_Scan_Activity",
108 |         0x0c1e : "COMND Write_Inquiry_Scan_Activity",
109 |         0x0c1f : "COMND Read_Authentication_Enable",
110 |         0x0c20 : "COMND Write_Authentication_Enable",
111 |         0x0c23 : "COMND Read_Class_of_Device",
112 |         0x0c24 : "COMND Write_Class_of_Device",
113 |         0x0c25 : "COMND Read_Voice_Setting",
114 |         0x0c26 : "COMND Write_Voice_Setting",
115 |         0x0c27 : "COMND Read_Automatic_Flush_Timeout",
116 |         0x0c28 : "COMND Write_Automatic_Flush_Timeout",
117 |         0x0c29 : "COMND Read_Num_Broadcast_Retransmissions",
118 |         0x0c30 : "COMND Write_Num_Broadcast_Retransmissions",
119 |         0x0c2b : "COMND Read_Hold_Mode_Activity",
120 |         0x0c2c : "COMND Write_Hold_Mode_Activity",
121 |         0x0c2d : "COMND Read_Transmit_Power_Level",
122 |         0x0c2e : "COMND Read_Synchronous_Flow_Control_Enable",
123 |         0x0c2f : "COMND Write_Synchronous_Flow_Control_Enable",
124 |         0x0c31 : "COMND Set_Controller_To_Host_Flow_Control",
125 |         0x0c33 : "COMND Host_Buffer_Size",
126 |         0x0c35 : "COMND Host_Number_Of_Completed_Packets",
127 |         0x0c36 : "COMND Read_Link_Supervision_Timeout",
128 |         0x0c37 : "COMND Write_Link_Supervision_Timeout",
129 |         0x0c38 : "COMND Read_Number_Of_Supported_IAC",
130 |         0x0c39 : "COMND Read_Current_IAC_LAP",
131 |         0x0c3a : "COMND Write_Current_IAC_LAP",
132 |         0x0c3f : "COMND Set_AFH_Host_Channel_Classification",
133 |         0x0c42 : "COMND Read_Inquiry_Scan_Type",
134 |         0x0c43 : "COMND Write_Inquiry_Scan_Type",
135 |         0x0c44 : "COMND Read_Inquiry_Mode",
136 |         0x0c45 : "COMND Write_Inquiry_Mode",
137 |         0x0c46 : "COMND Read_Page_Scan_Type",
138 |         0x0c47 : "COMND Write_Page_Scan_Type",
139 |         0x0c48 : "COMND Read_AFH_Channel_Assessment_Mode",
140 |         0x0c49 : "COMND Write_AFH_Channel_Assessment_Mode",
141 |         0x0c51 : "COMND Read_Extended_Inquiry_Response",
142 |         0x0c52 : "COMND Write_Extended_Inquiry_Response",
143 |         0x0c53 : "COMND Refresh_Encryption_Key",
144 |         0x0c55 : "COMND Read_Simple_Pairing_Mode",
145 |         0x0c56 : "COMND Write_Simple_Pairing_Mode",
146 |         0x0c57 : "COMND Read_Local_OOB_Data",
147 |         0x0c58 : "COMND Read_Inquiry_Response_Transmit_Power_Level",
148 |         0x0c59 : "COMND Write_Inquiry_Response_Transmit_Power_Level",
149 |         0x0c60 : "COMND Send_Key_Press_Notification",
150 |         0x0c5a : "COMND Read_Default_Erroneous_Data_Reporting",
151 |         0x0c5b : "COMND Write_Default_Erroneous_Data_Reporting",
152 |         0x0c5f : "COMND Enhanced_Flush",
153 |         0x0c61 : "COMND Read_Logical_Link_Accept_Timeout",
154 |         0x0c62 : "COMND Write_Logical_Link_Accept_Timeout",
155 |         0x0c63 : "COMND Set_Event_Mask_Page_2",
156 |         0x0c64 : "COMND Read_Location_Data",
157 |         0x0c65 : "COMND Write_Location_Data",
158 |         0x0c66 : "COMND Read_Flow_Control_Mode",
159 |         0x0c67 : "COMND Write_Flow_Control_Mode",
160 |         0x0c68 : "COMND Read_Enhance_Transmit_Power_Level",
161 |         0x0c69 : "COMND Read_Best_Effort_Flush_Timeout",
162 |         0x0c6a : "COMND Write_Best_Effort_Flush_Timeout",
163 |         0x0c6b : "COMND Short_Range_Mode",
164 |         0x0c6c : "COMND Read_LE_Host_Support",
165 |         0x0c6d : "COMND Write_LE_Host_Support",
166 |         0x0c6e : "COMND Set_MWS_Channel_Parameters",
167 |         0x0c6f : "COMND  Set_ External_Frame_Configuration",
168 |         0x0c70 : "COMND Set_MWS_Signaling",
169 |         0x0c71 : "COMND Set_MWS_Transport_Layer",
170 |         0x0c72 : "COMND Set_MWS_Scan_Frequency_Table",
171 |         0x0c73 : "COMND Set_MWS_PATTERN_Configuration",
172 |         0x0c74 : "COMND Set_Reserved_LT_ADDR",
173 |         0x0c75 : "COMND Delete_Reserved_LT_ADDR",
174 |         0x0c76 : "COMND Set_Connectionless_Slave_Broadcast_Data",
175 |         0x0c77 : "COMND Read_Synchronization_Train_Parameters",
176 |         0x0c78 : "COMND Write_Synchronization_Train_Parameters",
177 |         0x0c79 : "COMND Read_Secure_Connections_Host_Support",
178 |         0x0c7a : "COMND Write_Secure_Connections_Host_Support",
179 |         0x0c7b : "COMND Read_Authenticated_Payload_Timeout",
180 |         0x0c7c : "COMND Write_Authenticated_Payload_Timeout",
181 |         0x0c7d : "COMND Read_Local_OOB_Extended_Data",
182 |         0x0c7e : "COMND Read_Extended_Page_Timeout",
183 |         0x0c7f : "COMND Write_Extended_Page_Timeout",
184 |         0x0c80 : "COMND Read_Extended_Inquiry_Length",
185 |         0x0c81 : "COMND Write_Extended_Inquiry_Length",
186 |         0x1001 : "COMND Read_Local_Version_Information",
187 |         0x1002 : "COMND Read_Local_Supported_Commands",
188 |         0x1003 : "COMND Read_Local_Supported_Features",
189 |         0x1004 : "COMND Read_Local_Extended_Features",
190 |         0x1005 : "COMND Read_Buffer_Size",
191 |         0x1009 : "COMND Read_BD_ADDR",
192 |         0x100a : "COMND Read_Data_Block_Size",
193 |         0x100b : "COMND Read_Local_Supported_Codecs",
194 |         0x1401 : "COMND Read_Failed_Contact_Counter",
195 |         0x1402 : "COMND Reset_Failed_Contact_Counter",
196 |         0x1403 : "COMND Read_Link_Quality",
197 |         0x1405 : "COMND Read_RSSI",
198 |         0x1406 : "COMND Read_AFH_Channel_Map",
199 |         0x1407 : "COMND Read_Clock",
200 |         0x1408 : "COMND Encryption_Key_Size",
201 |         0x1409 : "COMND Read_Local_AMP_Info",
202 |         0x140a : "COMND Read_Local_AMP_ASSOC",
203 |         0x140b : "COMND Write_Remote_AMP_ASSOC",
204 |         0x140c : "COMND Get_MWS_Transport_Layer_Configuration",
205 |         0x140d : "COMND Set_Triggered_Clock_Capture",
206 |         0x1801 : "COMND Read_Loopback_Mode",
207 |         0x1802 : "COMND Write_Loopback_Mode",
208 |         0x1803 : "COMND Enable_Device_Under_Test_Mode",
209 |         0x1804 : "COMND Write_Simple_Pairing_Debug_Mode",
210 |         0x1807 : "COMND Enable_AMP_Receiver_Reports",
211 |         0x1808 : "COMND AMP_Test_End",
212 |         0x1809 : "COMND AMP_Test",
213 |         0x180a : "COMND Write_Secure_Connection_Test_Mode",
214 |         0x2001 : "COMND LE_Set_Event_Mask",
215 |         0x2002 : "COMND LE_Read_Buffer_Size",
216 |         0x2003 : "COMND LE_Read_Local_Supported_Features",
217 |         0x2005 : "COMND LE_Set_Random_Address",
218 |         0x2006 : "COMND LE_Set_Advertising_Parameters",
219 |         0x2007 : "COMND LE_Read_Advertising_Channel_Tx_Power",
220 |         0x2008 : "COMND LE_Set_Advertising_Data",
221 |         0x2009 : "COMND LE_Set_Scan_Responce_Data",
222 |         0x200a : "COMND LE_Set_Advertise_Enable",
223 |         0x200b : "COMND LE_Set_Set_Scan_Parameters",
224 |         0x200c : "COMND LE_Set_Scan_Enable",
225 |         0x200d : "COMND LE_Create_Connection",
226 |         0x200e : "COMND LE_Create_Connection_Cancel ",
227 |         0x200f : "COMND LE_Read_White_List_Size",
228 |         0x2010 : "COMND LE_Clear_White_List",
229 |         0x2011 : "COMND LE_Add_Device_To_White_List",
230 |         0x2012 : "COMND LE_RemoveDevice_From_White_List",
231 |         0x2013 : "COMND LE_Connection_Update",
232 |         0x2014 : "COMND LE_Set_Host_Channel_Classification",
233 |         0x2015 : "COMND LE_Read_Channel_Map",
234 |         0x2016 : "COMND LE_Read_Remote_Used_Features",
235 |         0x2017 : "COMND LE_Encrypt",
236 |         0x2018 : "COMND LE_Rand",
237 |         0x2019 : "COMND LE_Start_Encryption",
238 |         0x201a : "COMND LE_Long_Term_Key_Request_Reply",
239 |         0x201b : "COMND LE_Long_Term_Key_Request_Negative_Reply",
240 |         0x201c : "COMND LE_Read_Supported_States",
241 |         0x201d : "COMND LE_Receiver_Test",
242 |         0x201e : "COMND LE_Transmitter_Test",
243 |         0x201f : "COMND LE_Test_End",
244 |         0x2020 : "COMND LE_Remote_Connection_Parameter_Request_Reply",
245 |         0x2021 : "COMND LE_Remote_Connection_Parameter_Request_Negative_Reply",
246 |         0xfc7e : "COMND VSC_Write_Dynamic_SCO_Routing_Change",
247 |         0xfc57 : "COMND VSC_Write_High_Priority_Connection",
248 |         0xfc4c : "COMND VSC_Write_RAM",
249 |         0xfc4e : "COMND VSC_Launch_RAM",
250 |         0xfc18 : "COMND VSC_Update_UART_Baud_Rate",
251 |         0xfc01 : "COMND VSC_Write_BD_ADDR",
252 |         0xfc1c : "COMND VSC_Write_SCO_PCM_Int_Param",
253 |         0xfc27 : "COMND VSC_Set_Sleepmode_Param",
254 |         0xfc1e : "COMND VSC_Write_PCM_Data_Format_Param",
255 |         0xfc2e : "COMND VSC_Download_Minidriver",
256 |         0xfd53 : "COMND VSC_BLE_VENDOR_CAP",
257 |         0xfd54 : "COMND VSC_BLE_MULTI_ADV",
258 |         0xfd56 : "COMND VSC_BLE_BATCH_SCAN",
259 |         0xfd57 : "COMND VSC_BLE_ADV_FILTER",
260 |         0xfd58 : "COMND VSC_BLE_TRACK_ADV",
261 |         0xfd59 : "COMND VSC_BLE_ENERGY_INFO"
262 |     }
263 | 
264 | def parse(data):
265 |     """
266 |     Parse HCI command
267 | 
268 |     References can be found here:
269 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
270 |     ** [vol 2] Part E (Section 5) - HCI Data Formats
271 |     ** [vol 2] Part E (Section 5.4) - Exchange of HCI-specific information
272 | 
273 |     All integer values are stored in "little-endian" order.
274 | 
275 |     Returns a tuple of (opcode, length, data)
276 |     """
277 |     opcode, length = struct.unpack("<HB", data[:3])
278 |     data = data[3:]
279 |     return opcode, length, data
280 | 
281 | def cmd_to_str(opcode):
282 |     """
283 |     Return a string representing the opcode
284 |     """
285 |     return HCI_COMMANDS[opcode]


--------------------------------------------------------------------------------
/btsnoop/bt/hci_evt.py:
--------------------------------------------------------------------------------
  1 | """
  2 |   Parse hci events
  3 | """
  4 | import struct
  5 | 
  6 | 
  7 | """
  8 | Event codes and names for HCI events
  9 | 
 10 | Event code is 1 byte.
 11 | 
 12 |  0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
 13 | ---------------------------------
 14 | |   event code  |    length     |
 15 | ---------------------------------
 16 | 
 17 | However, LE Meta events adds additional data that needs to be handled.
 18 | 
 19 | LE_META_EVENT:
 20 | 
 21 |  0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
 22 | -------------------------------------------------
 23 | |   event code  |    length     | subevent code |
 24 | -------------------------------------------------
 25 | """
 26 | 
 27 | 
 28 | """
 29 | The HCI LE Meta Event is used to encapsulate all LE Controller specific events.
 30 | The Event Code of all LE Meta Events shall be 0x3E. The Subevent_Code is
 31 | the first octet of the event parameters. The Subevent_Code shall be set to one
 32 | of the valid Subevent_Codes from an LE specific event
 33 | """
 34 | HCI_LE_META_EVENT = 0x3e;
 35 | 
 36 | 
 37 | """
 38 | HCI LE Meta events
 39 | 
 40 | References can be found here:
 41 | * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
 42 | ** [vol 2] Part E (Section 7.7.65) - Le Meta Event
 43 | """
 44 | HCI_LE_META_EVENTS = {
 45 |         0x01 : "EVENT LE_Connection_Complete",
 46 |         0x02 : "EVENT LE_Advertising_Report",
 47 |         0x03 : "EVENT LE_Connection_Update_Complete",
 48 |         0x04 : "EVENT LE_Read_Remote_Used_Features_Complete",
 49 |         0x05 : "EVENT LE_Long_Term_Key_Request",
 50 |         0x06 : "EVENT LE_Remote_Connection_Parameter_Request"
 51 |     }
 52 | 
 53 | 
 54 | """
 55 | HCI Event codes
 56 | 
 57 | References can be found here:
 58 | * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
 59 | ** [vol 2] Part E (Section 7.7) - Events
 60 | """
 61 | HCI_EVENTS = {
 62 |         0x01 : "EVENT Inquiry_Complete",
 63 |         0x02 : "EVENT Inquiry_Result",
 64 |         0x03 : "EVENT Connection_Complete",
 65 |         0x04 : "EVENT Connection_Request",
 66 |         0x05 : "EVENT Disconnection_Complete",
 67 |         0x06 : "EVENT Authentication_Complete",
 68 |         0x07 : "EVENT Remote_Name_Request_Complete",
 69 |         0x08 : "EVENT Encryption_Change",
 70 |         0x09 : "EVENT Change_Connection_Link_Key_Complete",
 71 |         0x0a : "EVENT Master_Link_Key_Complete",
 72 |         0x0b : "EVENT Read_Remote_Supported_Features_Complete",
 73 |         0x0c : "EVENT Read_Remote_Version_Information_Complete",
 74 |         0x0d : "EVENT QoS_Setup_Complete",
 75 |         0x0e : "EVENT Command_Complete",
 76 |         0x0f : "EVENT Command_Status",
 77 |         0x10 : "EVENT Hardware_Error",
 78 |         0x11 : "EVENT Flush_Occurred",
 79 |         0x12 : "EVENT Role_Change",
 80 |         0x13 : "EVENT Number_Of_Completed_Packets",
 81 |         0x14 : "EVENT Mode_Change",
 82 |         0x15 : "EVENT Return_Link_Keys",
 83 |         0x16 : "EVENT PIN_Code_Request",
 84 |         0x17 : "EVENT Link_Key_Request",
 85 |         0x18 : "EVENT Link_Key_Notification",
 86 |         0x19 : "EVENT Loopback_Command",
 87 |         0x1a : "EVENT Data_Buffer_Overflow",
 88 |         0x1b : "EVENT Max_Slots_Change",
 89 |         0x1c : "EVENT Read_Clock_Offset_Complete",
 90 |         0x1d : "EVENT Connection_Packet_Type_Changed",
 91 |         0x1e : "EVENT QoS_Violation",
 92 |         0x20 : "EVENT Page_Scan_Repetition_Mode_Change",
 93 |         0x21 : "EVENT Flow_Specification_Complete",
 94 |         0x22 : "EVENT Inquiry_Result_with_RSSI",
 95 |         0x23 : "EVENT Read_Remote_Extended_Features_Complete",
 96 |         0x2c : "EVENT Synchronous_Connection_Complete",
 97 |         0x2d : "EVENT Synchronous_Connection_Changed",
 98 |         0x2e : "EVENT Sniff_Subrating",
 99 |         0x2f : "EVENT Extended_Inquiry_Result",
100 |         0x30 : "EVENT Encryption_Key_Refresh_Complete",
101 |         0x31 : "EVENT IO_Capability_Request",
102 |         0x32 : "EVENT IO_Capability_Response",
103 |         0x33 : "EVENT User_Confirmation_Request",
104 |         0x34 : "EVENT User_Passkey_Request",
105 |         0x35 : "EVENT Remote_OOB_Data_Request",
106 |         0x36 : "EVENT Simple_Pairing_Complete",
107 |         0x38 : "EVENT Link_Supervision_Timeout_Changed",
108 |         0x39 : "EVENT Enhanced_Flush_Complete",
109 |         0x3b : "EVENT User_Passkey_Notification",
110 |         0x3c : "EVENT Keypress_Notification",
111 |         0x3d : "EVENT Remote_Host_Supported_Features_Notification",
112 |         HCI_LE_META_EVENT : "EVENT LE_Meta_Event",
113 |         0x40 : "EVENT Physical_Link_Complete",
114 |         0x41 : "EVENT Channel_Selected",
115 |         0x42 : "EVENT Disconnection_Physical_Link_Complete",
116 |         0x43 : "EVENT Physical_Link_Loss_Early_Warning",
117 |         0x44 : "EVENT Physical_Link_Recovery",
118 |         0x45 : "EVENT Logical_Link_Complete",
119 |         0x46 : "EVENT Disconnection_Logical_Link_Complete",
120 |         0x47 : "EVENT Flow_Spec_Modify_Complete",
121 |         0x48 : "EVENT Number_Of_Completed_Data_Blocks",
122 |         0x4c : "EVENT Short_Range_Mode_Change_Complete",
123 |         0x4d : "EVENT AMP_Status_Change",
124 |         0x49 : "EVENT AMP_Start_Test",
125 |         0x4a : "EVENT AMP_Test_End",
126 |         0x4b : "EVENT AMP_Receiver_Report",
127 |         0x4e : "EVENT Triggered_Clock_Capture",
128 |         0x4f : "EVENT Synchronization_Train_Complete",
129 |         0x50 : "EVENT Synchronization_Train_Received",
130 |         0x51 : "EVENT Connectionless_Slave_Broadcast_Receive",
131 |         0x52 : "EVENT Connectionless_Slave_Broadcast_Timeout",
132 |         0x53 : "EVENT Truncated_Page_Complete",
133 |         0x54 : "EVENT Slave_Page_Response_Timeout",
134 |         0x55 : "EVENT Connectionless_Slave_Broadcast_Channel_Map_Change",
135 |         0x56 : "EVENT Inquiry_Response_Notification",
136 |         0x57 : "EVENT Authenticated_Payload_Timeout_Expired",
137 |     }
138 | 
139 | 
140 | def parse(data):
141 |     """
142 |     Parse HCI event data
143 | 
144 |     References can be found here:
145 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
146 |     ** [vol 2] Part E (Section 5) - HCI Data Formats
147 |     ** [vol 2] Part E (Section 5.4) - Exchange of HCI-specific information
148 |     ** [vol 2] Part E (Section 7.7) - Events
149 |     ** [vol 2] Part E (Section 7.7.65) - Le Meta Event
150 | 
151 |     All integer values are stored in "little-endian" order.
152 | 
153 |     Returns a tuple of (evtcode, length, subevtcode, data) if LE_Meta_Event,
154 |     else (evtcode, length, data)
155 |     """
156 |     evtcode, length = struct.unpack("<BB", data[:2])
157 |     if evtcode != HCI_LE_META_EVENT:
158 |         return evtcode, length, data[2:]
159 |     else:
160 |         subevtcode = struct.unpack("<B", data[2:3])[0]
161 |         length -= 1 # Subtrackt length of SubEvent code
162 |         return evtcode, length, subevtcode, data[3:]
163 | 
164 | 
165 | def evt_to_str(evtcode):
166 |     """
167 |     Return a string representing the event code
168 |     """
169 |     return HCI_EVENTS[evtcode]


--------------------------------------------------------------------------------
/btsnoop/bt/hci_sco.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Parse HCI SCO packets
 3 | """
 4 | import struct
 5 | import ctypes
 6 | from ctypes import c_uint
 7 | 
 8 | 
 9 | """
10 | SCO handle is 12 bits, followed by 2 bits packet status flags.
11 | 
12 |  0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
13 | -------------------------------------------------
14 | |            handle     |ps |xx |    length     |
15 | -------------------------------------------------
16 | """
17 | class SCO_HEADER_BITS( ctypes.LittleEndianStructure ):
18 |     _fields_ = [("handle",  c_uint,  12),
19 |                 ("ps",      c_uint,  2 ),
20 |                 ("xx",      c_uint,  2 ),
21 |                 ("length",  c_uint,  8)]
22 | 
23 | 
24 | class SCO_HEADER( ctypes.Union ):
25 |     """
26 |     This is a trick for converting bitfields to separate values
27 |     """
28 |     _fields_ = [("b", SCO_HEADER_BITS),
29 |                 ("asbyte", c_uint)]
30 | 
31 | 
32 | def parse(data):
33 |     """
34 |     Parse HCI ACL data
35 | 
36 |     References can be found here:
37 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
38 |     ** [vol 2] Part E (Section 5) - HCI Data Formats
39 |     ** [vol 2] Part E (Section 5.4) - Exchange of HCI-specific information
40 | 
41 |     """
42 |     hdr = SCO_HEADER()
43 |     hdr.asbyte = struct.unpack("<HB", data[:3])[0]
44 |     handle = int(hdr.b.handle)
45 |     ps = int(hdr.b.pb)
46 |     length = int(hdr.b.length)
47 |     return (handle, ps, length, data[3:])
48 | 
49 | 
50 | def ps_to_str(ps):
51 |     """
52 |     Return a string representing the packet status flag
53 |     """
54 |     assert ps in [0, 1, 2, 3]


--------------------------------------------------------------------------------
/btsnoop/bt/hci_uart.py:
--------------------------------------------------------------------------------
 1 | """
 2 |   Parse hci uart information from binary string
 3 | """
 4 | import sys
 5 | import struct
 6 | 
 7 | 
 8 | """
 9 | HCI Packet types for UART Transport layer
10 | Core specification 4.1 [vol 4] Part A (Section 2) - Protocol
11 | """
12 | HCI_CMD = 0x01
13 | ACL_DATA = 0x02
14 | SCO_DATA = 0x03
15 | HCI_EVT = 0x04
16 | 
17 | 
18 | HCI_UART_PKT_TYPES = {
19 |     HCI_CMD : "HCI_CMD",
20 |     ACL_DATA : "ACL_DATA",
21 |     SCO_DATA : "SCO_DATA",
22 |     HCI_EVT : "HCI_EVT"
23 | }
24 | 
25 | 
26 | def parse(data):
27 |     """
28 |     Parse a hci information from the specified data string
29 | 
30 |     There are four kinds of HCI packets that can be sent via the UART Transport
31 |     Layer; i.e. HCI Command Packet, HCI Event Packet, HCI ACL Data Packet
32 |     and HCI Synchronous Data Packet (see Host Controller Interface Functional
33 |     Specification in Volume 2, Part E). HCI Command Packets can only be sent to
34 |     the Bluetooth Host Controller, HCI Event Packets can only be sent from the
35 |     Bluetooth Host Controller, and HCI ACL/Synchronous Data Packets can be
36 |     sent both to and from the Bluetooth Host Controller.
37 | 
38 |     References can be found here:
39 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
40 |     ** [vol 4] Part A (Section 2) Protocol
41 | 
42 |     Returns a tuple (pkt_type, data) with the HCI type and data.
43 |     """
44 |     pkt_type = struct.unpack("<B", data[:1])[0]
45 |     return ( pkt_type, data[1:] )
46 | 
47 | 
48 | def type_to_str(pkt_type):
49 |     """
50 |     Return a string representing the HCI packet type
51 |     """
52 |     assert pkt_type in [HCI_CMD, ACL_DATA, SCO_DATA, HCI_EVT]
53 |     return HCI_UART_PKT_TYPES[pkt_type]


--------------------------------------------------------------------------------
/btsnoop/bt/l2cap.py:
--------------------------------------------------------------------------------
  1 | """
  2 | Parse L2CAP packets
  3 | """
  4 | import struct
  5 | from . import hci_acl
  6 | 
  7 | 
  8 | """
  9 | Fixed channel ids for L2CAP packets
 10 | 
 11 | References can be found here:
 12 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
 13 |     ** [vol 3] Part A (Section 2.1) - Channel identifiers
 14 | """
 15 | L2CAP_CID_NUL = 0x0000
 16 | L2CAP_CID_SCH = 0x0001
 17 | L2CAP_CID_ATT = 0x0004
 18 | L2CAP_CID_LE_SCH = 0x0005
 19 | L2CAP_CID_SMP = 0x0006
 20 | 
 21 | 
 22 | L2CAP_CHANNEL_IDS = {
 23 |         L2CAP_CID_NUL : "L2CAP CID_NUL",
 24 |         L2CAP_CID_SCH : "L2CAP CID_SCH",
 25 |         L2CAP_CID_ATT : "L2CAP CID_ATT",
 26 |         L2CAP_CID_LE_SCH : "L2CAP CID_LE_SCH",
 27 |         L2CAP_CID_SMP : "L2CAP CID_SMP"
 28 |     }
 29 | 
 30 | 
 31 | def parse_hdr(data):
 32 |     """
 33 |     Parse L2CAP packet
 34 | 
 35 |      0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 
 36 |     -----------------------------------------------------------------
 37 |     |            length             |          channel id           |
 38 |     -----------------------------------------------------------------
 39 | 
 40 |     L2CAP is packet-based but follows a communication model based on channels.
 41 |     A channel represents a data flow between L2CAP entities in remote devices.
 42 |     Channels may be connection-oriented or connectionless. Fixed channels
 43 |     other than the L2CAP connectionless channel (CID 0x0002) and the two L2CAP
 44 |     signaling channels (CIDs 0x0001 and 0x0005) are considered connection-oriented.
 45 | 
 46 |     All L2CAP layer packet fields shall use Little Endian byte order with the exception of the 
 47 |     information payload field. The endian-ness of higher layer protocols encapsulated within 
 48 |     L2CAP information payload is protocol-specific
 49 | 
 50 |     References can be found here:
 51 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
 52 |     ** [vol 3] Part A (Section 3) - Data Packet Format
 53 | 
 54 |     Returns a tuple of (length, cid, data)
 55 |     """
 56 |     length, cid = struct.unpack("<HH", data[:4])
 57 |     data = data[4:]
 58 |     return length, cid, data
 59 | 
 60 | 
 61 | """
 62 | Codes and names for L2CAP Signaling Protocol
 63 | """
 64 | L2CAP_SCH_PDUS = {
 65 |         0x01 : "SCH Command reject",
 66 |         0x02 : "SCH Connection request",
 67 |         0x03 : "SCH Connection response",
 68 |         0x04 : "SCH Configure request",
 69 |         0x05 : "SCH Configure response",
 70 |         0x06 : "SCH Disconnection request",
 71 |         0x07 : "SCH Disconnection response",
 72 |         0x08 : "SCH Echo request",
 73 |         0x09 : "SCH Echo response",
 74 |         0x0a : "SCH Information request",
 75 |         0x0b : "SCH Information response",
 76 |         0x0c : "SCH Create Channel request",
 77 |         0x0d : "SCH Create Channel response",
 78 |         0x0e : "SCH Move Channel request",
 79 |         0x0f : "SCH Move Channel response",
 80 |         0x10 : "SCH Move Channel Confirmation",
 81 |         0x11 : "SCH Move Channel Confirmation response",
 82 |         0x12 : "LE SCH Connection_Parameter_Update_Request",
 83 |         0x13 : "LE SCH Connection_Parameter_Update_Response",
 84 |         0x14 : "LE SCH LE_Credit_Based_Connection Request",
 85 |         0x15 : "LE SCH LE_Credit_Based_Connection Response",
 86 |         0x16 : "LE SCH LE_Flow_Control_Credit",
 87 |     }
 88 | 
 89 | 
 90 | def parse_sch(l2cap_data):
 91 |     """
 92 |     Parse the signaling channel data.
 93 | 
 94 |     The signaling channel is a L2CAP packet with channel id 0x0001 (L2CAP CID_SCH)
 95 |     or 0x0005 (L2CAP_CID_LE_SCH)
 96 | 
 97 |      0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
 98 |     -----------------------------------------------------------------
 99 |     |      code     |        id     |             length            |
100 |     -----------------------------------------------------------------
101 | 
102 |     References can be found here:
103 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
104 |     ** [vol 3] Part A (Section 4) - Signaling Packet Formats
105 | 
106 |     Returns a tuple of (code, id, length, data)
107 |     """
108 |     code, id, length = struct.unpack("<BBH", l2cap_data[:4])
109 |     return (code, id, length, l2cap_data[4:])
110 | 
111 | 
112 | PKT_TYPE_PARSERS = { hci_acl.PB_START_NON_AUTO_L2CAP_PDU : parse_hdr,
113 |                      hci_acl.PB_CONT_FRAG_MSG : parse_hdr,
114 |                      hci_acl.PB_START_AUTO_L2CAP_PDU : parse_hdr,
115 |                      hci_acl.PB_COMPLETE_L2CAP_PDU : parse_hdr }
116 | 
117 | 
118 | def parse(l2cap_pkt_type, data):
119 |     """
120 |     Convenience method for switching between parsing methods based on type
121 |     """
122 |     parser = PKT_TYPE_PARSERS[l2cap_pkt_type]
123 |     if parser is None:
124 |         raise ValueError("Illegal L2CAP packet type")
125 |     return parser(data)
126 | 
127 | 
128 | def cid_to_str(cid):
129 |     """
130 |     Return a string representing the L2CAP channel id
131 |     """
132 |     return L2CAP_CHANNEL_IDS[cid]
133 | 
134 | 
135 | def sch_code_to_str(code):
136 |     """
137 |     Return a string representing the signaling channel PDU
138 |     """
139 |     return L2CAP_SCH_PDUS[code]


--------------------------------------------------------------------------------
/btsnoop/bt/smp.py:
--------------------------------------------------------------------------------
 1 | """
 2 | Parse SMP packets
 3 | """
 4 | import struct
 5 | 
 6 | 
 7 | """
 8 | SMP PDUs
 9 | 
10 | References can be found here:
11 |     * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
12 |     ** [vol 3] Part H (Section 3.3) - Command Format
13 | """
14 | SMP_PDUS = {
15 |         0x01 : "SMP Pairing_Request",
16 |         0x02 : "SMP Pairing_Response",
17 |         0x03 : "SMP Pairing_Confirm",
18 |         0x04 : "SMP Pairing_Random",
19 |         0x05 : "SMP Pairing_Failed",
20 |         0x06 : "SMP Encryption_Information",
21 |         0x07 : "SMP Master_Identification",
22 |         0x08 : "SMP Identity_Information",
23 |         0x09 : "SMP Identity_Address Information",
24 |         0x0a : "SMP Signing_Information",
25 |         0x0b : "SMP Security_Request"
26 |     }
27 | 
28 | def parse(data):
29 |     """
30 |     SMP code is the first octet of the PDU
31 | 
32 |      0 1 2 3 4 5 6 7
33 |     -----------------
34 |     |      code     |
35 |     -----------------
36 |     
37 |     References can be found here:
38 |         * https://www.bluetooth.org/en-us/specification/adopted-specifications - Core specification 4.1
39 |         ** [vol 3] Part H (Section 3.3) - Command Format
40 | 
41 |     Return a tuple (code, data)
42 |     """
43 |     code = struct.unpack("<B", data[:1])[0]
44 |     return (code, data[1:])
45 | 
46 | def code_to_str(code):
47 |     """
48 |     Return a string representing the SMP code
49 |     """
50 |     return SMP_PDUS[code]


--------------------------------------------------------------------------------
/btsnoop/btsnoop/__init__.py:
--------------------------------------------------------------------------------
1 | from . import btsnoop


--------------------------------------------------------------------------------
/btsnoop/btsnoop/btsnoop.py:
--------------------------------------------------------------------------------
  1 | """
  2 |   Parse btsnoop_hci.log binary data (similar to wireshark)
  3 |   usage:
  4 |      ./parse.py <filename>
  5 | """
  6 | import datetime
  7 | import sys
  8 | import struct
  9 | 
 10 | 
 11 | """
 12 | Record flags conform to:
 13 |     - bit 0         0 = sent, 1 = received
 14 |     - bit 1         0 = data, 1 = command/event
 15 |     - bit 2-31      reserved
 16 | 
 17 | Direction is relative to host / DTE. i.e. for Bluetooth controllers,
 18 | Send is Host->Controller, Receive is Controller->Host
 19 | """
 20 | BTSNOOP_FLAGS = {
 21 |         0 : ("host", "controller", "data"),
 22 |         1 : ("controller", "host", "data"),
 23 |         2 : ("host", "controller", "command"),
 24 |         3 : ("controller", "host", "event")
 25 |     }
 26 | 
 27 | 
 28 | def parse(filename):
 29 |     """ 
 30 |     Parse a Btsnoop packet capture file.
 31 | 
 32 |     Btsnoop packet capture file is structured as:
 33 |     
 34 |     -----------------------
 35 |     | header              |
 36 |     -----------------------
 37 |     | packet record nbr 1 |
 38 |     -----------------------
 39 |     | packet record nbr 2 |
 40 |     -----------------------
 41 |     | ...                 |
 42 |     -----------------------
 43 |     | packet record nbr n |
 44 |     -----------------------
 45 |     
 46 |     References can be found here:
 47 |     * http://tools.ietf.org/html/rfc1761
 48 |     * http://www.fte.com/webhelp/NFC/Content/Technical_Information/BT_Snoop_File_Format.htm
 49 | 
 50 |     Return a list of records, each holding a tuple of:
 51 |     * sequence nbr
 52 |     * record length (in bytes)
 53 |     * flags
 54 |     * timestamp
 55 |     * data
 56 |     """
 57 |     with open(filename, "rb") as f:
 58 |     
 59 |         # Validate file header
 60 |         (identification, version, type) = _read_file_header(f)
 61 |         _validate_file_header(identification, version, type)
 62 | 
 63 |         # Not using the following data:
 64 |         # record[1] - original length
 65 |         # record[4] - cumulative drops
 66 |         return map(lambda record: 
 67 |             (record[0], record[2], record[3], _parse_time(record[5]), record[6]),
 68 |             _read_packet_records(f))
 69 | 
 70 | 
 71 | def _read_file_header(f):
 72 |     """
 73 |     Header should conform to the following format
 74 |     
 75 |     ----------------------------------------
 76 |     | identification pattern|
 77 |     | 8 bytes                              |
 78 |     ----------------------------------------
 79 |     | version number                   |
 80 |     | 4 bytes                              |
 81 |     ----------------------------------------
 82 |     | data link type = HCI UART (H4)       |
 83 |     | 4 bytes                              |
 84 |     ----------------------------------------
 85 | 
 86 |     All integer values are stored in "big-endian" order, with the high-order bits first.
 87 |     """
 88 |     ident = f.read(8)
 89 |     version, data_link_type = struct.unpack( ">II", f.read(4 + 4) )
 90 |     return (ident, version, data_link_type)
 91 | 
 92 | 
 93 | def _validate_file_header(identification, version, data_link_type):
 94 |     """
 95 |     The identification pattern should be:
 96 |         'btsnoop\0' 
 97 |     
 98 |     The version number should be:
 99 |         1
100 |     
101 |     The data link type can be:
102 |         - Reserved	0 - 1000
103 |         - Un-encapsulated HCI (H1)	1001
104 |         - HCI UART (H4)	1002
105 |         - HCI BSCP	1003
106 |         - HCI Serial (H5)	1004
107 |         - Unassigned	1005 - 4294967295
108 |         
109 |     For SWAP, data link type should be:
110 |         HCI UART (H4)	1002
111 |     """
112 |     assert identification == "btsnoop\0"
113 |     assert version == 1
114 |     assert data_link_type == 1002
115 |     print "Btsnoop capture file version {0}, type {1}".format(version, data_link_type)
116 | 
117 | 
118 | def _read_packet_records(f):
119 |     """
120 |     A record should confirm to the following format
121 |     
122 |     --------------------------
123 |     | original length        |
124 |     | 4 bytes   
125 |     --------------------------
126 |     | included length        |
127 |     | 4 bytes   
128 |     --------------------------
129 |     | packet flags           |
130 |     | 4 bytes   
131 |     --------------------------
132 |     | cumulative drops       |
133 |     | 4 bytes   
134 |     --------------------------
135 |     | timestamp microseconds |
136 |     | 8 bytes
137 |     --------------------------
138 |     | packet data            |
139 |     --------------------------
140 |     
141 |     All integer values are stored in "big-endian" order, with the high-order bits first.
142 |     """
143 |     seq_nbr = 1
144 |     while True:
145 |         pkt_hdr = f.read(4 + 4 + 4 + 4 + 8)
146 |         if not pkt_hdr or len(pkt_hdr) != 24:
147 |             # EOF
148 |             break
149 |     
150 |         orig_len, inc_len, flags, drops, time64 = struct.unpack( ">IIIIq", pkt_hdr)
151 |         assert orig_len == inc_len
152 |         
153 |         data = f.read(inc_len)
154 |         assert len(data) == inc_len
155 |     
156 |         yield ( seq_nbr, orig_len, inc_len, flags, drops, time64, data )
157 |         seq_nbr += 1
158 | 
159 | 
160 | def _parse_time(time):
161 |     """
162 |     Record time is a 64-bit signed integer representing the time of packet arrival, 
163 |     in microseconds since midnight, January 1st, 0 AD nominal Gregorian.
164 | 
165 |     In order to avoid leap-day ambiguity in calculations, note that an equivalent 
166 |     epoch may be used of midnight, January 1st 2000 AD, which is represented in 
167 |     this field as 0x00E03AB44A676000.
168 |     """
169 |     time_betw_0_and_2000_ad = int("0x00E03AB44A676000", 16)
170 |     time_since_2000_epoch = datetime.timedelta(microseconds=time) - datetime.timedelta(microseconds=time_betw_0_and_2000_ad)
171 |     return datetime.datetime(2000, 1, 1) + time_since_2000_epoch
172 | 
173 | 
174 | def flags_to_str(flags):
175 |     """
176 |     Returns a tuple of (src, dst, type)
177 |     """
178 |     assert flags in [0,1,2,3]
179 |     return BTSNOOP_FLAGS[flags]
180 | 
181 | 
182 | def print_hdr():
183 |     """
184 |     Print the script header
185 |     """
186 |     print ""
187 |     print "##############################"
188 |     print "#                            #"
189 |     print "#    btsnoop parser v0.1     #"
190 |     print "#                            #"
191 |     print "##############################"
192 |     print ""
193 | 
194 | 
195 | def main(filename):
196 |     records = parse(filename)
197 |     print records
198 |     return 0
199 | 
200 |     
201 | if __name__ == "__main__":
202 |     if len(sys.argv) < 2:
203 |         print __doc__
204 |         sys.exit(1)
205 |         
206 |     print_hdr()
207 |     sys.exit(main(sys.argv[1]))


--------------------------------------------------------------------------------