0

So I am trying to monitor the traffic of an active Bluetooth connection on my PC. I am able to get get several information about the active connection to the remote device, e.g. SOCKADDR_BTH. I thought I could use the port information of the remote device and bind a socket to it in order to monitor the traffic, but the device discovery is not providing the port information, see below:

Device name:WH-1000XM2 Device connected: 65536 Device remembered: 1 Device authenticated: 1 Remote Bluetooth device is 0x702605aba41d, server channel = 0 Local Bluetooth device is 0x84ef18b8460a, server channel = 0

Here is the corresponding code spinet:

/*Preparing the queryset return buffer*/
pwsaResults = (LPWSAQUERYSET)buffer;
pwsaResults->dwNameSpace = NS_BTH;
pwsaResults->dwSize = sizeof(WSAQUERYSET);
BTH_QUERY_DEVICE qDev{};
qDev.length = 1;
BLOB blb;
blb.cbSize = sizeof(BTH_QUERY_DEVICE);
blb.pBlobData = reinterpret_cast<PBYTE>(&qDev);
pwsaResults->lpBlob = &blb;

while (WSALookupServiceNext(hLookup, LUP_RETURN_ADDR | LUP_RETURN_NAME | LUP_CONTAINERS | LUP_RETURN_TYPE | LUP_RES_SERVICE | LUP_FLUSHCACH, &swSize, pwsaResults) == NO_ERROR)
{
    pAddrInfo       = (CSADDR_INFO*)pwsaResults->lpcsaBuffer;
    pBtSockRemote   = (SOCKADDR_BTH*)(pwsaResults->lpcsaBuffer->RemoteAddr.lpSockaddr);
    pBtSockLocal    = (SOCKADDR_BTH*)(pwsaResults->lpcsaBuffer->LocalAddr.lpSockaddr);

    wprintf(L"Device #:%d\n", nDevicesFound);
    wprintf(L"Device name:%s\n", pwsaResults->lpszServiceInstanceName);
    wprintf(L"Device connected: %d\n", (pwsaResults->dwOutputFlags & BTHNS_RESULT_DEVICE_CONNECTED));
    wprintf(L"Device remembered: %d\n", (pwsaResults->dwOutputFlags & BTHNS_RESULT_DEVICE_REMEMBERED)>0);
    wprintf(L"Device authenticated: %d\n", (pwsaResults->dwOutputFlags & BTHNS_RESULT_DEVICE_AUTHENTICATED)>0);
    wprintf(L"Remote Bluetooth device is 0x%04x%08x, server channel = %d\n",
        GET_NAP(pBtSockRemote->btAddr), GET_SAP(pBtSockRemote->btAddr), pBtSockRemote->port);
    wprintf(L"Local Bluetooth device is 0x%04x%08x, server channel = %d\n",
        GET_NAP(pBtSockLocal->btAddr), GET_SAP(pBtSockLocal->btAddr), pBtSockLocal->port);

    nDevicesFound++;

}

I was thinking about using WSAIoctl in order to sniff the traffic.

Nawin
  • 63
  • 1
  • 7
  • You can not capture Bluetooth trafgfic without special hardware or without developing filter driver. The "port" in Bluetooth is not bindable (its not the same as TCP/IP port). The port in Bluetooth is an RFCOMM channel number. It can be read from SDP if you need. – Mike Petrichenko Dec 24 '18 at 19:12
  • Hey Mike, thanks for the feedback, so you are saying that it's not possible with the WINSOCK API to monitor the traffic of an existing Bluetooth connection? – Nawin Dec 24 '18 at 20:42
  • Yes, that is exactly what I mean. – Mike Petrichenko Dec 24 '18 at 20:58
  • Okay, thanks a lot, do you have a suggestion on how I could achieve my objectives? Should I start digging into Windows driver development? – Nawin Dec 24 '18 at 21:11
  • There are few ways. The simples is to use any USB capture tool (if your Bluetooth hardware connected by USB). Then you can capture all Bluetooth data (of course you have to parse them if the USB capture tool does not do it for you). The other way is to develop Bluetooth filter driver abovew Bluetooth HCI driver. One more is filter driver above Bluetooth <-> WinSock DDI. – Mike Petrichenko Dec 24 '18 at 22:15

0 Answers0