While trying to study BLE I am wondering if it is possible to analyse it through tools like Wireshark and snort? I came across one by the name "ubertooth" but that's a USB device which needs to be purchased in order for us to do DPI on BLE frames, right? Is it possible to capture and analyse BLE frames on Wireshark?

Yes it's possible to use wireshark to analyse BLE packets, but you will need additional hardware. Sniffing a connection requires support from the baseband layer which is implemented inside the Bluetooth chipset. The software of the chipset inside your computer doesn't support sniffing, so you'll need another chipset whose software you can control.

I use the nRF51 Dongle, which is a dev kit for the nRF51, a BLE + Cortex M0 SoC from Nordic Semi. Nordic provides firmware for this board that turns it into a sniffer. They also provide an application for Windows that communicates with that firmware over USB to get back the sniffing data, and that formats it in a way understandable for Wireshark.

If you're on Windows you can just use the tools provided by Nordic on this page, and follow the instructions in the User Guide.

Edit 2018-10: Nordic have released a Mac and Linux app in beta to support their sniffer, so the rest of this post shouldn't be necessary any more. You can download the new tool here.

Then once everything is working and you are piping packets to Wireshark you can use all the awesome Wireshark built-in filters for Bluetooth and BLE: btatt, btl2cap, btle,...

Original post

If, like me, you are on Mac, you'll need:

• RKNRFGO to program the custom firmware
• nrf-ble-sniffer-osx to communicate with it and pipe the packets to Wireshark.

The nrf-ble-sniffer-osx Wiki explains how to set it up. Thanks to Roland King for making these tools.

Two important caveats for the Mac setup:

• Install Wireshark before nrf-ble-sniffer-osx. That's because nrf-ble-sniffer-osx needs to install some additional filters for Wireshark so that it can decode the headers that the Nordic firmware adds to packets, and it won't do it if Wireshark is installed afterwards.
• Use Wireshark version 1.12. At the time of writing, no newer version worked with this setup. Yes that means you'll have to use XQuartz.

If you're on Linux, it looks like it's also possible to use this dongle, but I haven't tried it.

BLE is supported on most android devices. You can record bluetooth packets simply by going to Developer Options-> Enable Bluetooth HCI snoop log. The log will be saved at /sdcard/btsnoof_hci.log. This however won't work if your goal is to passively monitor, it will only get traffic to and from your device.

is it possible to capture and analyse BLE frames on wire shark ?

If you've somehow managed to capture Bluetooth LE traffic into a pcap or pcapng file with a link-layer header type of LINKTYPE_BLUETOOTH_LE_LL or LINKTYPE_BLUETOOTH_LE_LL_WITH_PHDR, you can analyze them.

However, the Wireshark Wiki page on capturing Bluetooth traffic speaks only of

1. capturing traffic to and from your machine on Linux;
2. passively capturing third-party traffic with Ubertooth;

so, whilst you may be able to analyze the traffic with Wireshark, you might not be able to capture it with Wireshark. As Josh Baker noted, you can capture from a named pipe and pipe the output of the ubertooth-btle tool to Wireshark. (It would be nice if there were a libpcap module for Ubertooth, so that you could capture more directly with Wireshark.)

But if you don't want to buy an Ubertooth device, you may not be able to capture the Bluetooth LE traffic.

You do indeed need a BLE capable device in order to analyze BLE signals, so if your device isn't BLE capable, you can't analyze it.