hcidump

Display Host Controler Interface (i.e. BLuetooth) data

btmon
hcidump [option [option… ]] [filter ]

Reads raw HCI data coming from and going to a Bluetooth device until receives sigTERM or sigQuit.
Only if somethimg like sudo hcitool lescan is running!

Default is the first available HCI device
Outputs commands, events and data.
The dump can be written to a file to be parsed at a subsequent time.

-t
--timestamp 		Prepend a time stamp 
>hcidump -t|grep $b -B3 -A3
2018-05-20 16:48:47.852536 > HCI Event: LE Meta Event (0x3e) plen 30
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr C4:C1:A5:FB:6D:46 (Random)
      Flags: 0x06
      Shortened service classes: 0xfe59
      Complete local name: 'RuuviBoot'
-i hciX read from hciX. Default: first available.
-l len
--snap-len=len		 max length of processed packets
-p psm
--psm=psm		 default Protocol Service Multiplexer
-m compid
--manufacturer=compid		 default company id for manufacturer
-w file
--save-dump=file		 Binary data in BTSnoop version 1, HCI UART (H4) format is saved in file.
subsequently parsed with -r.

The file can be opened in Wireshark for full decoding 

hexdump -C hcidump.out
00000000  62 74 73 6e 6f 6f 70 00  00 00 00 01 00 00 03 ea  |btsnoop.........|
00000010  00 00 00 1d 00 00 00 1d  00 00 00 03 00 00 00 00  |................|
00000020  00 e2 7d c4 c0 1a 07 3e  04 3e 1a 02 01 00 00 ae  |..}....>.>......|
00000030  3b 97 75 32 4c 0e 02 01  06 0a ff 4c 00 10 05 4b  |;.u2L......L...K|
00000040  1c c0 ea 49 bc 00 00 00  21 00 00 00 21 00 00 00  |...I....!...!...|
00000050  03 00 00 00 00 00 e2 7d  c4 c0 1a 88 9e 04 3e 1e  |.......}......>.|
00000060  02 01 00 01 74 85 0b 43  be 60 12 02 01 1a 02 0a  |....t..C.`......|
00000070  0c 0b ff 4c 00 10 06 13  1e 18 73 40 1f c2 00 00  |...L......s@....|
00000080  00 24 00 00 00 24 00 00  00 03 00 00 00 00 00 e2  |.$...$..........|
00000090  7d c4 c0 1a c7 bd 04 3e  21 02 01 03 01 c2 24 68  |}......>!.....$h|
000000a0  3c 10 c7 15 02 01 06 11  ff 99 04 03 15 24 11 c1  |<............$..|
000000b0  9f 00 40 ff c4 03 fe 0b  65 b0 00 00 00 26 00 00  |..@.....e....&..|
000000c0  00 26 00 00 00 03 00 00  00 00 00 e2 7d c4 c0 1c  |.&..........}...|
000000d0  fe 71 04 3e 23 02 01 00  01 2c 43 1e 0f 41 4b 17  |.q.>#....,C..AK.|
000000e0  02 01 06 13 ff 4c 00 0c  0e 00 e4 8f 60 bc 1c 81  |.....L......`...|
-r file
--read-dump=file		 Data from file created with -w
-a
--ascii		 
hcidump -a   |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
> HCI Event: LE Meta Event (0x3e) plen 23
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr 4C:32:75:97:3B:AE (Public)
      Flags: 0x06
      Unknown type 0xff with 6 bytes data
      RSSI: -53
> HCI Event: LE Meta Event (0x3e) plen 35
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr 71:87:54:AC:73:2A (Random)
      Flags: 0x06
      Unknown type 0xff with 18 bytes data
      RSSI: -68
> HCI Event: LE Meta Event (0x3e) plen 23
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr 4C:32:75:97:3B:AE (Public)
      Flags: 0x06
      Unknown type 0xff with 6 bytes data
      RSSI: -65
-x
--hex
-X
--ext		 displacement and hex and ASCII (with --raw). 
hcidump --raw -X   |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
> 0000: 04 3e 2b 02 01 03 01 1a  1e 4a 74 fa f7 1f 02 01  .>+......Jt.....
  0010: 06 1b ff 99 04 05 0f c8  43 27 c1 6e 03 64 02 1c  ........C'.n.d..
  0020: ff ec a1 b6 12 66 ca f7  fa 74 4a 1e 1a bc        .....f...tJ...
> 0000: 04 3e 1a 02 01 00 01 e4  63 cc 82 fb 6e 0e 02 01  .>......c...n...
  0010: 1a 0a ff 4c 00 10 05 11  18 28 9a a0 b7           ...L.....(...
> 0000: 04 3e 1a 02 01 00 00 ae  3b 97 75 32 4c 0e 02 01  .>......;.u2L...
  0010: 06 0a ff 4c 00 10 05 4b  1c 6d a4 a4 b3           ...L...K.m...
> 0000: 04 3e 2b 02 01 00 01 dc  06 65 6d fd d0 1f 02 01  .>+......em.....
  0010: 04 1b ff 99 04 05 11 7c  2d 9e c1 81 00 1c 00 00  .......|-.......
  0020: 03 eb a6 f6 4a c2 a2 d0  fd 6d 65 06 dc b2        ....J....me...
-R
--raw		 only the raw data is displayed. 
hcidump --raw |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
> 04 3E 2B 02 01 03 01 0F EC 72 78 51 D3 1F 02 01 06 03 03 AA 
  FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 4A 41 4B 
  41 4C 78 49 72 B6 
> 04 3E 17 02 01 00 00 AE 3B 97 75 32 4C 0B 02 01 06 07 FF 4C 
  00 10 02 0B 00 B1 
> 04 3E 23 02 01 00 01 2A 73 AC 54 87 71 17 02 01 06 13 FF 4C 
  00 0C 0E 00 CB 3A F4 C4 21 9E B6 5D C4 9C D3 3E 26 B3 
> 04 3E 2B 02 01 03 01 03 AD 43 C6 C0 F2 1F 02 01 06 03 03 AA 
  FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 46 67 56 
  41 4C 78 49 4E C3 

hcidump -t --raw |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
2018-04-16 19:36:46.080953 > 04 3E 17 02 01 00 00 AE 3B 97 75 32 4C 0B 02 01 06 07 FF 4C 
  00 10 02 0B 00 B7 
2018-04-16 19:36:46.098825 > 04 3E 2B 02 01 03 01 03 AD 43 C6 C0 F2 1F 02 01 06 03 03 AA 
  FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 46 67 56 
  41 4C 78 49 4E B1 
2018-04-16 19:36:46.108579 > 04 3E 23 02 01 00 01 2A 73 AC 54 87 71 17 02 01 06 13 FF 4C 
  00 0C 0E 00 CB 3A F4 C4 21 9E B6 5D C4 9C D3 3E 26 B6 
2018-04-16 19:36:46.262135 > 04 3E 17 02 01 00 00 AE 3B 97 75 32 4C 0B 02 01 06 07 FF 4C 
  00 10 02 0B 00 C5
-C
--cmtp=psm		 for the CAPI Message Transport Protocol.
-H
--hcrp=psm		 for the Hardcopy Control Channel.
-O
--obex=channel		 Sets RFCOMM channel value for the Object Exchange Protocol.
-P
--ppp=channel		 Sets RFCOMM channel value for the Point-to-Point Protocol.
-D
--pppdump=		 Extract PPP traffic with pppdump format.
-A
--audio=file		 Extract SCO audio data.
-Y
--novendor		 Don't display any vendor commands, events
any pin code or link key in plain text. 
hcidump -t -Y  |more
HCI sniffer - Bluetooth packet analyzer ver 5.43
device: hci0 snap_len: 1500 filter: 0xffffffff
2018-04-16 19:40:44.038443 > HCI Event: LE Meta Event (0x3e) plen 35
    LE Advertising Report
      ADV_IND - Connectable undirected advertising (0)
      bdaddr 71:87:54:*:*:* (Random)
      Flags: 0x06
      Unknown type 0xff with 18 bytes data
      RSSI: -74
-h

FILTERS

filter is a space-separated list of packet categories:
lmp hci sco l2cap rfcomm sdp bnep cmtp hidp hcrp avdtp avctp obex capi ppp

lmp,(01) hci(02), sco(04), l2cap(08), rfcomm(10), sdp(20), bnep(40), cmtp(80), hidp(100), hcrp(200), avdtp(400), avctp(800), obex(1000), capi(2000) and ppp(4000)

Examples:

(buffers, just be patient) 
hcidump -t --raw |                           # format 4
grep --after-context=2 "1A 1E 4A 74 FA F7" |  # get the interested MAC and next to lines
grep --invert-match '\-\-' |                  # get rid of the -- grep inserts
sed "N ;s/\n//; N; s/\n//" |                  # join 2nd and 3rd line
sed "s/04 3E //;  s/02 01 03 01//" |          # remove bluetooth header information
sed "s/  19 02 01 04 15 FF 99//"   |
sed "s/201.-..-..//;  s/[[:digit:]]\{3,3\} //; s/1A 1E 4A 74 FA F7//"   # pretty it up

 18:01:50.997 > 1F 02 01 06 03 03 AA   FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 47 51 59   41 4D 4F 30 47 AF 
 18:01:51.497 > 1F 02 01 06 03 03 AA   FE 17 16 AA FE 10 F9 03 72 75 75 2E 76 69 2F 23 42 47 51 59   41 4D 4F 30 47 B3 
                                                      FT TX htt r  u  u  . v  i  /  #  B     Q       A  M  O  3  G    

hcidump -t --raw |                           # format 5
grep --after-context=1 "1A 1E 4A 74 FA F7" |  # get the interested MAC and next to lines
grep --invert-match '\-\-' |                  # remove of the -- grep inserts
sed "N ;s/\n//; " |                           # join 2nd line
sed "s/04 3E //;  s/02 01 03 01//" |          # remove bluetooth header information
sed "s/  19 02 01 04 15 FF 99//"   |
sed "s/201.-..-..//;  s/[[:digit:]]\{3,3\} //; s/1A 1E 4A 74 FA F7//"   # pretty it up

 18:32:31.833> 19 02 01 04 15 FF 99   04 03 66 18 59 C4 0E 00 1B FF DD 03 DC 0A B7 00 00 00 00 B3 
 18:32:32.332> 19 02 01 04 15 FF 99   04 03 66 18 59 C4 0E 00 1B FF DD 03 DC 0A B7 00 00 00 00 B5 
 18:32:32.837> 19 02 01 04 15 FF 99   04 03 66 18 59 C4 0E 00 1B FF DD 03 DC 0A B7 00 00 00 00 B5 
                              CIC  ) fmt hh temp  press  xxxx yyyyy zzzzz battery          RSSI

Protocol and Service Multiplexer
Protocol PSM
SDP 01 Service Discovery Protocol (SDP)
RFCOMM 03 RFCOMM with TS 07.10
TCS-BIN 05 Telephony Control Specification / TCS Binary
TCS-BIN-CORDLESS 07 Telephony Control Specification / TCS Binary
BNEP 0F Bluetooth Network Encapsulation Protocol
HID_Control 11 Human Interface Device
HID_Interrupt 13 Human Interface Device
UPnP 15 [ESDP]
AVCTP 17 Audio/Video Control Transport Protocol
AVDTP 19 Audio/Video Distribution Transport Protocol
AVCTP_Browsing 1B Audio/Video Remote Control Profile
UDI_C-Plane 1D Unrestricted Digital Information Profile [UDI]
ATT 1F Bluetooth Core Specification
3DSP 21 3D Synchronization Profile.
LE_PSM_IPSP 23 Internet Protocol Support Profile
OTS 25 Object Transfer Service

Errors

Can't attach to device hci0. No such device(19)

hcidump is deprecated due to lack of support

In order to run without root i.e. without sudo: 

sudo setcap 'cap_net_raw,cap_net_admin+eip' `which hcitool`
sudo setcap 'cap_net_raw,cap_net_admin+eip' `which hcidump`

btmon

- Bluetooth monitor

btmon [options]

-r
--read file		 Read traces in btsnoop format
-w
--write file		 Save traces in btsnoop format (also for WireShark
-a
--analyze file		 Analyze traces in btsnoop format
-s
--server socket		 Start monitor server socket
-p
--priority level 		Show only priority or lower
-i
--index num		 Show only specified controller
-d
--tty tty		 Read data from TTY
-B
--tty-speed rate Set TTY speed (default 115200)
-t
--time		 Show time instead of time offset
-T
--date		 Show time and date information
-S
--sco		 Dump SCO traffic
-A
--a2dp		 Dump A2DP (Advanced Audio Distribution Profile. i.e. Stereo ) stream traffic
-E
--ellisys [ip]		 Send Ellisys HCI Injection
-h
--help		 Show help options 
sudo btmon -S |more
Bluetooth monitor ver 5.48
= Note: Linux version 4.19.66+ (armv6l)                                0.621011
= Note: Bluetooth subsystem version 2.22                               0.621025
= New Index: B8:27:EB:E3:A4:6C (Primary,UART,hci0)              [hci0] 0.621029
= Open Index: B8:27:EB:E3:A4:6C                                 [hci0] 0.621031
= Index Info: B8:27:EB:E3:A4:6C (Broadcom Corporation)          [hci0] 0.621035
@ RAW Open: hcidump (privileged) version 2.22          {0x0002} [hci0] 0.621039
@ MGMT Open: bluetoothd (privileged) version 1.14             {0x0001} 0.621043
@ MGMT Open: btmon (privileged) version 1.14                  {0x0003} 0.621174
> HCI Event: LE Meta Event (0x3e) plen 43                    #1 [hci0] 0.648046
      LE Advertising Report (0x02)
        Num reports: 1
        Event type: Non connectable undirected - ADV_NONCONN_IND (0x03)
        Address type: Random (0x01)
        Address: C4:D8:A4:A9:09:81 (Static)
        Data length: 31
        Flags: 0x06
          LE General Discoverable Mode
          BR/EDR Not Supported
        Company: not assigned (1177)
          Data: 050e9a74bdbf83fca0fe180024a37633e82cc4d8a4a90981
        RSSI: -70 dBm (0xba)
> HCI Event: LE Meta Event (0x3e) plen 43                    #2 [hci0] 0.696244
      LE Advertising Report (0x02)
        Num reports: 1
        Event type: Connectable undirected - ADV_IND (0x00)
        Address type: Random (0x01)
        Address: EE:93:49:ED:9F:E9 (Static)
        Data length: 31
        Flags: 0x06
          LE General Discoverable Mode
          BR/EDR Not Supported
        Company: not assigned (1177)
          Data: 050fb74d98fffffc28feb4006cb036232e7dee9349ed9fe9
        RSSI: -99 dBm (0x9d)
To enable verbose logging for bluethooth add -d to bluetooth.service config file:
sudo sed --in-place 's/bluetoothd/bluetoothd \-d/g' /lib/systemd/system/bluetooth.service

See

hcitool