Language: C, HTML
Google Plus Page: View
Tagged Blog Posts: View
Development Progress: (github)
Latest Stable Release: 1.1.1 (Download)
AboutBluelog is a Linux Bluetooth scanner written to do a single task, log devices that are in discoverable mode. It is intended to be used as a site survey tool, determining how many discoverable Bluetooth devices there are in the area. It has also proven to be very well suited to Bluetooth traffic monitoring applications.
While there are many different Bluetooth scanners available, none I found did exactly what I wanted, most seemed focused on pulling down various bits of information from the target devices (like SDP records). I was also having trouble locating a scanner that didn't have a UI of some sort, which was a problem since I wanted to scan continuously without user intervention. After trying out all of the Linux Bluetooth scanners I could find, I eventually decided to simply write my own.
The more time I spent on Bluelog, the more features I worked into it. Eventually, Bluelog started evolving into a considerably more advanced tool then I initially intended. Still, all of the advanced features are completely optional, and if you chose it can still be used as the simple little scanner it started as.
This page will always have the latest source release of Bluelog, as well as all of the previous releases for archival purposes. As of version 1.0.2, Bluelog is also included in BackTrack Linux and the development version of OpenWRT. Arch Linux users can also find it in the AUR community package repository.
Bluetooth Traffic MonitoringTruth be told, I wasn't actually aware of the concept of Bluetooth traffic monitoring until companies started contacting me about using Bluelog in their products and research. Apparently, Bluelog's specific set of features (constant logging to disk, daemon mode, support for writing to syslog) make it the only open source project that lends itself to traffic monitoring.
The basic idea is that you deploy (at least) two devices running Bluelog along a street at a known distance from each other and let them start scanning. You can then compare the timestamps on discovered devices between them and find average speed and travel time. The advantage of monitoring vehicle traffic with Bluetooth is that you only need to setup the receiving hardware and software, the people you are attempting to track provide the other end of the hardware setup without even knowing it.
For a practical example of using Bluelog for traffic monitoring, take a look at the work being done by the Integreen project in Bolzano, Italy.
Bluelog's use in traffic monitoring inspired my own successful research project, Operation Street Sweep.
Supported HardwareBluelog should work with any USB Bluetooth device supported under Linux. I have tested it with the integrated Bluetooth hardware on Dell laptops, ridiculously cheap adapters from DealExtreme, and high-end devices like the AIRcable Host XR. Obviously more powerful devices will be able to detect targets at greater range, but scan speed is going to be the same no matter what you use. More powerful devices should help with name resolution though, for the simple fact that extended range will give you a larger window of time in which to receive a name query response (assuming the target, or your machine, is mobile).
There is also support for using different Bluetooth devices, such as in the case where you might have a powerful external Bluetooth device connected to a machine that has an internal Bluetooth radio, and want to scan with the better hardware. An alternate device is specified with the "-d" option, and can be given as either an HCI device (hci0, hci1, etc) or with the MAC of the device you wish to scan with. Note that Bluelog will fall back on automatic detection if the device you give it doesn't exist. This is an intentional feature to make Bluelog more reliable in automated setups, but can be tricky if you aren't reading the status messages. Be careful you don't pass the wrong device and end up scanning with your low-power radio accidentally.
Basic LoggingIf you want to use Bluelog to perform some simple scanning and logging, you technically don't even need to pass it any arguments, though some are helpful. Consider this simple scan:
In this case, Bluelog was run with the "verbose", "timestamp", and "name" options, which caused discovered devices to be shown in the terminal as well as having the time of their discovery logged along with MAC and device name.
bash:~# bluelog -vtn -o ./example.log Bluelog (v0.9.9) by MS3FGX --------------------------- Autodetecting device...OK Opening output file: ./example.log...OK Writing PID file: /tmp/bluelog.pid...OK Scan started at [06/20/10 16:58:13] on 00:16:41:B4:9E:1C. Hit Ctrl+C to end scan. [05/12/10 16:58:27] 00:1C:62:9E:5D:B8,LG CU575a,0x5a0204 [05/12/10 16:58:27] 00:21:FE:7C:B5:33,Nokia 2600,0x5a0204 [05/12/10 16:58:30] 00:1B:AF:DB:CB:9E,Nokia 6555b,0x5a0204 Closing files and freeing memory...OK Done!
I also chose to write the log to an alternate file, in this case "example.log". If we check the contents of that file we can see Bluelog's (very basic) output format:
bash:~# cat ./example.log [05/12/10 16:58:13] Scan started on 00:16:41:B4:19:1C [05/12/10 16:58:27] 00:1C:62:9E:5D:B8,LG CU575a [05/12/10 16:58:27] 00:21:FE:7C:B5:33,Nokia 2600 [05/12/10 16:58:30] 00:1B:AF:DB:CB:9E,Nokia 6555b [05/12/10 16:58:35] Scan ended.
Customized LoggingBluelog features multiple options for configuring the log file, all of which are optional but could be helpful depending on how you intend on parsing the resulting data. As of the current version, Bluelog supports the following logging options (check the Bluelog MAN page or README for a complete list of options):
This option will set the log format so that the resulting data is suitable for upload to ronin's Bluetooth Profiling Project (BlueProPro). This overrides most other logging options and disables Bluelog Live. For more information on this project, and the additional steps required to submit your data for inclusion, visit: www.hackfromacave.com
This option toggles writing the raw device class to the log file. Enabling this option disables the -f option. Default is disabled.
This option takes the device class and interprets it into a more human friendly format. It will tell you what class the device is and also what it's core capabilities are. For example, the class "0x7a020c" would appear as: "Smart Phone,(Net Capture Obex Audio Phone)". Enabling this option disables the -c option. Default is disabled.
Use this option to toggle displaying device names for discovered devices. Finding the device name takes extra time during scanning, and occasionally fails. Therefore by not resolving device names, Bluelog can scan faster and more accurately. Default is disabled.
This option turns off the actual log file, and instead redirects all output to syslog. Using this option allows you to do things such as scan on devices which may not have enough local storage to hold the logs, or do centralized logging with multiple Bluelog scanning nodes.
Use this option to toggle displaying timestamps for both the start and end of the scan and each new device found in the log file. Default is disabled.
Use this option to toggle MAC address obfuscation. This allows you to release your log files without (completely) compromising the identity of the scanned devices. Default is disabled.
Bluelog Live"Bluelog Live" is an advanced mode in which Bluelog generates a web page of it's results which you can host with the HTTP daemon of your choice (Apache, lighttpd, etc). The idea is that showing results on an easy to read web page helps the less technically inclined understand the implications of discoverable Bluetooth devices out in the wild. Showing somebody a parse log file might not get their attention, but a real-time web page showing the same information is likely to generate a better response.
You could also use "Bluelog Live" as a public awareness tool at a convention or other public place were security-concious individuals might be gathering. Indeed, the "Wall of Sheep" was one of my primary inspirations for implementing the Live functionality in Bluelog.
Bluelog Live ThemesBluelog Live is fully skinnable through CSS, so you can make your own layout for whatever application or event you wish. Themes currently included with Bluelog are:
Pwnie Express Pwn Plug:
Bluelog in the NewsWell, that might be a stretch. But Bluelog has gained a bit of popularity since I released it publicly. It was mentioned on the September 24th, 2010 edition of Space Rogue's (now defunct) Hacker News Network:
The 0.9.7 release also hit the front page of PacketStorm as their featured file for November 2nd, 2010:
Developer Paolo Valleri gave a talk on his work on Bluetooth traffic monitoring project at FOSDEM 2013 , which mentioned the successful integration of Bluelog: