Bluelog logo

Bluelog

       Platform: GNU/Linux
       Language: C, HTML
       License: GPLv2
       Dependencies: BlueZ
       Google Plus Page: View
       Tagged Blog Posts: View
       Development Progress: (github)
       Latest Stable Release: 1.1.2 (Download) (Mirror)

About

       Bluelog is a Linux Bluetooth scanner with optional daemon mode and web front-end, designed for site surveys and traffic monitoring. It's intended to be run for long periods of time in a static location to determine how many discoverable Bluetooth devices there are in the area.

While there are many different Bluetooth scanners available, none I found did exactly what I wanted, most seemed focused on pulling down various bits of information from the target devices (like SDP records). I was also having trouble locating a scanner that didn't have a UI of some sort, which was a problem since I wanted to scan continuously without user intervention. After trying out all of the Linux Bluetooth scanners I could find, I eventually decided to simply write my own.

The more time I spent on Bluelog, the more features I worked into it. Eventually, Bluelog started evolving into a considerably more advanced tool then I initially intended. Still, all of the advanced features are completely optional, and if you chose it can still be used as the simple little scanner it started as.

This page will always have the latest source release of Bluelog, as well as all of the previous releases for archival purposes. As of version 1.0.2, Bluelog is also included in BackTrack Linux and the development version of OpenWRT. Arch Linux users can also find it in the AUR community package repository.

Bluetooth Traffic Monitoring

       Truth be told, I wasn't actually aware of the concept of Bluetooth traffic monitoring until companies started contacting me about using Bluelog in their products and research. Apparently, Bluelog's specific set of features (constant logging to disk, daemon mode, support for writing to syslog) make it the only open source project that lends itself to traffic monitoring.

The basic idea is that you deploy (at least) two devices running Bluelog along a street at a known distance from each other and let them start scanning. You can then compare the timestamps on discovered devices between them and find average speed and travel time. The advantage of monitoring vehicle traffic with Bluetooth is that you only need to setup the receiving hardware and software, the people you are attempting to track provide the other end of the hardware setup without even knowing it.

For a practical example of using Bluelog for traffic monitoring, take a look at the work being done by the Integreen project in Bolzano, Italy.

Bluelog's use in traffic monitoring inspired my own successful research project, Operation Street Sweep.

Supported Hardware

       Bluelog should work with any USB Bluetooth device supported under Linux. I have tested it with the integrated Bluetooth hardware on Dell laptops, ridiculously cheap adapters from DealExtreme, and high-end devices like the AIRcable Host XR. Obviously more powerful devices will be able to detect targets at greater range, but scan speed is going to be the same no matter what you use. More powerful devices should help with name resolution though, for the simple fact that extended range will give you a larger window of time in which to receive a name query response (assuming the target, or your machine, is mobile).

There is also support for using different Bluetooth devices, such as in the case where you might have a powerful external Bluetooth device connected to a machine that has an internal Bluetooth radio, and want to scan with the better hardware. An alternate device is specified with the "-d" option, and can be given as either an HCI device (hci0, hci1, etc) or with the MAC of the device you wish to scan with. Note that Bluelog will fall back on automatic detection if the device you give it doesn't exist. This is an intentional feature to make Bluelog more reliable in automated setups, but can be tricky if you aren't reading the status messages. Be careful you don't pass the wrong device and end up scanning with your low-power radio accidentally.

Basic Logging

       If you want to use Bluelog to perform some simple scanning and logging, you technically don't even need to pass it any arguments, though some are helpful. Consider this simple scan:
bash:~# bluelog -vtn -o ./example.log
Bluelog (v0.9.9) by MS3FGX
---------------------------
Autodetecting device...OK
Opening output file: ./example.log...OK
Writing PID file: /tmp/bluelog.pid...OK
Scan started at [06/20/10 16:58:13] on 00:16:41:B4:9E:1C.
Hit Ctrl+C to end scan.
[05/12/10 16:58:27] 00:1C:62:9E:5D:B8,LG CU575a,0x5a0204
[05/12/10 16:58:27] 00:21:FE:7C:B5:33,Nokia 2600,0x5a0204
[05/12/10 16:58:30] 00:1B:AF:DB:CB:9E,Nokia 6555b,0x5a0204
Closing files and freeing memory...OK
Done!
In this case, Bluelog was run with the "verbose", "timestamp", and "name" options, which caused discovered devices to be shown in the terminal as well as having the time of their discovery logged along with MAC and device name.

I also chose to write the log to an alternate file, in this case "example.log". If we check the contents of that file we can see Bluelog's (very basic) output format:

bash:~# cat ./example.log 
[05/12/10 16:58:13] Scan started on 00:16:41:B4:19:1C
[05/12/10 16:58:27] 00:1C:62:9E:5D:B8,LG CU575a
[05/12/10 16:58:27] 00:21:FE:7C:B5:33,Nokia 2600
[05/12/10 16:58:30] 00:1B:AF:DB:CB:9E,Nokia 6555b
[05/12/10 16:58:35] Scan ended.

Customized Logging

       Bluelog features multiple options for configuring the log file, all of which are optional but could be helpful depending on how you intend on parsing the resulting data. As of the current version, Bluelog supports the following logging options (check the Bluelog MAN page or README for a complete list of options):

-b

       This option will set the log format so that the resulting data is suitable for upload to ronin's Bluetooth Profiling Project (BlueProPro). This overrides most other logging options and disables Bluelog Live. For more information on this project, and the additional steps required to submit your data for inclusion, visit: www.hackfromacave.com

-c

       This option toggles writing the raw device class to the log file. Enabling this option disables the -f option. Default is disabled.

-f

       This option takes the device class and interprets it into a more human friendly format. It will tell you what class the device is and also what it's core capabilities are. For example, the class "0x7a020c" would appear as: "Smart Phone,(Net Capture Obex Audio Phone)". Enabling this option disables the -c option. Default is disabled.

-n

       Use this option to toggle displaying device names for discovered devices. Finding the device name takes extra time during scanning, and occasionally fails. Therefore by not resolving device names, Bluelog can scan faster and more accurately. Default is disabled.

-s

       This option turns off the actual log file, and instead redirects all output to syslog. Using this option allows you to do things such as scan on devices which may not have enough local storage to hold the logs, or do centralized logging with multiple Bluelog scanning nodes.

-t

       Use this option to toggle displaying timestamps for both the start and end of the scan and each new device found in the log file. Default is disabled.

-x

       Use this option to toggle MAC address obfuscation. This allows you to release your log files without (completely) compromising the identity of the scanned devices. Default is disabled.

Bluelog Live

       "Bluelog Live" is an advanced mode in which Bluelog generates a web page of it's results which you can host with the HTTP daemon of your choice (Apache, lighttpd, etc). The idea is that showing results on an easy to read web page helps the less technically inclined understand the implications of discoverable Bluetooth devices out in the wild. Showing somebody a parse log file might not get their attention, but a real-time web page showing the same information is likely to generate a better response.

You could also use "Bluelog Live" as a public awareness tool at a convention or other public place were security-concious individuals might be gathering. Indeed, the "Wall of Sheep" was one of my primary inspirations for implementing the Live functionality in Bluelog.

Bluelog Live Themes

       Bluelog Live is fully skinnable through CSS, so you can make your own layout for whatever application or event you wish. Themes currently included with Bluelog are:

DigiFAIL:

DigiFAIL Theme

Pwnie Express Pwn Plug:

Pwn Plug Theme

BackTrack Linux:

BackTrack Theme

OpenWRT:

Pwn Plug Theme

Bluelog in the News

       Well, that might be a stretch. But Bluelog has gained a bit of popularity since I released it publicly. It was mentioned on the September 24th, 2010 edition of Space Rogue's (now defunct) Hacker News Network:

Hacker News Network

The 0.9.7 release also hit the front page of PacketStorm as their featured file for November 2nd, 2010:

PacketStorm

Developer Paolo Valleri gave a talk on his work on Bluetooth traffic monitoring project at FOSDEM 2013 , which mentioned the successful integration of Bluelog:

FOSDEM 2013

Downloads

Filename MD5 Size Date
bluelog-1.1.2.tar.gz 614d0fe65bae68acff1d33d9f86e4805 112K 2013-11-01
bluelog-1.1.1.tar.gz 5a8bb5f397f9bbc224d1d37bf5a8ab6b 104K 2013-03-31
bluelog-1.1.0.tar.gz a5327d64731cd45debb57ab1edbe6e43 96K 2012-12-24
bluelog-1.0.4.tar.gz 2791fbb0333b0b414a4d2230c1e9e8e6 96K 2012-06-18
bluelog-1.0.3.tar.gz cbbb5a7d04ac7160f3f7389e05cd4257 84K 2012-05-14
bluelog-1.0.2.tar.gz f406d47ec94970be219cbb38f49402f9 64K 2012-02-10
bluelog-1.0.1.tar.gz 5761667f370556dd76cba5200027d028 64K 2012-01-31
bluelog-1.0.0.tar.gz a55ae4aade776d3412ae90dcc57f4e0c 76K 2011-12-19
bluelog-0.9.9.tar.gz bf993816df7ec1e7b1759ea2c70b82c4 60K 2011-05-15
bluelog-0.9.8.tar.gz 67a7fa622368663514fd51a32aa13884 56K 2010-11-30
bluelog-0.9.7.tar.gz c2f7cbd3471c1c5e28c760524233af5f 56K 2010-10-29
bluelog-0.9.6.tar.gz 2708480462c59ee983dddee1f75b2611 48K 2010-07-11
bluelog-0.9.5.tar.gz 05ff4f841910ef3eda8e1bfd42220b89 44K 2010-06-21
bluelog-0.9.4.tar.gz 1221e57d376a6be92afcb5be280688c9 36K 2010-06-18
bluelog-0.9.3.tar.gz faa4a3a237e85d72fc0906640f19cbc8 20K 2010-06-16
bluelog-0.9.2.tar.gz 37556a1acd1873f5031a1d2dc656dcb0 12K 2010-06-13
bluelog-0.9.1.tar.gz 6ce04dbd928cb497f087de112b2d3b6b 12K 2010-05-10